The Real Cost of Cybersecurity

Protecting information systems is as much a financial issue as a technical one. Understanding risks, benefits and costs is a key concern.

Gerald Wicker didn't have to read newspaper reports about hackers bringing corporations to their knees to know that his company should take stringent measures to ensure its cybersecurity. The only questions for Wicker are how much to spend and what to focus on. The CFO of Extreme Logic Inc., an Atlanta-based software development and consulting firm, knows that there's no ironclad method for locking down his company's systems. "It's important to understand risks and vulnerabilities and recognize which investments provide the best level of protection," he says.

For Wicker, that philosophy has translated into a security strategy that focuses on evaluating internal systems, ranking risks and funneling investments appropriately. Instead of forking over huge sums to secure Extreme Logic's Web site -- which doesn't support e-commerce or other e-business transactions -- he has put his money into virtual private network (VPN) applications and virus protection and detection tools that keep the IT environment free of malicious software and intruders. "If someone vandalizes the Web site, we can fix it. If someone steals data, we might find ourselves out of business," Wicker explains.

These days, cybersecurity is approaching the foreground of corporate consciousness. As organizations migrate to open systems that interconnect through the Internet, the risk of intrusions, theft and damage grows. What's more, managing a patchwork of security tools and systems can tax the resources of even the most tech-savvy enterprise. "The question for any organization is how to allocate money wisely. It's essential to conduct a thorough inventory of systems and create a risk profile that fits the organization," says Jeffrey H. Broadhead, Americas security practice leader for Cap Gemini Ernst & Young in Vienna, Va.

Of course, deciding which measures are worth taking to protect corporate IT systems can be tricky. As software becomes more complex and budgets shrink in these lean times, choosing the right plan -- and then putting it into action -- might seem an impossible chore. Making matters worse is the fact that security investments do not help with the launch of new products, nor do they boost sales. The money that goes into firewalls, intrusion detection and anti-virus software draws dollars, marks and yen away from more attractive investments.

That's why finance should play a key role in the decision-making process. By developing methods for quantifying the cost of various risks, including direct and indirect losses, companies can approach security in a systematic and holistic way. Says Rebecca Wettemann, vice president of research for Nucleus Research Inc., a Wellesley, Mass., consulting firm that specializes in ROI analysis, "There's no quick calculator for ROI. Security isn't an IT issue; it's a corporate issue that requires input from all the various departments, including finance."