cybersecurityeurope PAGE 46

investments. A high ROI means

the investment’s gains compare favourably to its cost. Low ROIs suggest an investment’s propensity to deliver value was poorly judged. Naturally, with the latter, it depends on who judges. The defi nition of ROI is conditioned by the perception of performance eff ectiveness – how well does a product or service do what it’s supposed to do. For many of those working on the

practitioner side in the IT industry, ROI is an overused buzzword that’s beloved of solutions vendors and product consultants, but of limited value for those tasked with making comparative evaluations based on technical features. “The term ROI is frequently misused

to attach a meaning or connotation that it does not originally have,” says Ilia Kolochenko, CEO at Web security provider High-Tech Bridge. “Cyber security is primarily designed to serve business by mitigating the risks to the acceptable level. Thus, I would not expect that money invested in cyber security per se will bring dividends or a common notion of profi t.” Kolochenko adds: “A cyber security solution also brings ROI if it prevents practical, reasonably certain and

measurable losses. Obviously, its overall costs, including (but not limited to) costs of maintenance and personnel training, should be lower than potential losses.” A potential pitfall for managers lies in the assumption that there

are innate similarities between ROI as applied to standard IT that supports line-of-business applications, and ROI applied to cyber security products and services - a mistake that dates from the time when security was just another facet of mainstream IT operations. As cyber threat levels grew, and the requirement to ensure

that organisations’ system security was equally strengthened to withstand increased attacks, the proportion of budget claimed by security products, services and specialists increased.

Executives can add something to the cyber ROI debate by keeping their organisations’ ‘risk appetite’ defi ned and up-to-date.

“The diff erence is that on the business side, ROI denotes a clearly measurable fi nancial benefi t,” says Dr Klaus Gheri, VP Network Security at Barracuda Networks. “Among the IT security community, ROI often refers to avoided potential costs that would have resulted from a security breach. In essence, this is about risk reduction, making it hard to prove, which in part explains why it is harder to communicate than tangible money saved or earned.” Another complexity is that, arguably, as operating systems and applications become more secure, cyber security becomes the prevalent IT force. This complicates the question of how well cyber security delivers adequate ROI, because it becomes embedded in the hardware and software designed to support line-of-business applications that drive your enterprise forward. An important ROI distinction is that many aspects of enterprise cyber security

are now subject to a range of national and

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58