Return on TCO: why measure the cost of security?

December 2003 News & Events

Total cost of ownership (TCO) is not a new concept. Management teams at all levels have always wanted to define the real cost of resources in order to plan and manage budgets, but the pressures of today’s business environment have raised the profile of TCO once again. Boards are keen to measure the lifetime cost of virtually every asset and resource and calculate return on every investment – but how do you measure the value of security?

The equation of cost versus benefit becomes extremely difficult to solve when dealing with security. What price should an organisation put on the security of its systems? And what cost is justified in ensuring that these systems are continuously available and functioning? Not only are the risks of failure very high, but the complexity of the calculation across multiple sites, technologies and implementations that comprise a business' security infrastructure is significant.

The most common response to the above is to say you cannot put a cost on security - so people do not and TCO calculations are not applied. However, recent calculations have shown that this lack of transparency has led many businesses to massively over-pay for security and to become lax in the management of ongoing costs in this area.

Knowing TCO - a complex process

TCO seeks to define the total cost of an asset or resource over its lifetime, including initial purchase price, support contracts, servicing, upgrades, associated consumables and human resources to manage it. Analyst firm Gartner introduced the term over 15 years ago and since then it has been most commonly applied to computer systems and the related consumable materials (ink, toner, paper, etc). However, the concept is now being broadened to include almost every investment. Knowing the TCO is a vital first step in demonstrating to finance departments that money is being well spent.

The problem is that it is very complicated to measure TCO and there are few agreed approaches. With complex systems such as security and firewall implementations, it is not always clear what to measure and how. The first step is, therefore, to define what you need to measure in order to calculate TCO. We have divided the various costs into two groups: fixed and variable.

Fixed costs

Fixed costs are attached to the hardware, software and related support and maintenance contracts. Usually, these are all 'up-front' costs incurred at the time of the initial investment, including dedicated servers, firewall software and maintenance contracts. They are therefore easy to calculate and can also be spread across the life of the implementation for the purposes of the TCO calculation.

They also include annual maintenance costs charged by vendors and these can vary widely. Standard products based on the IBM/Intel platform tend to have lower annual maintenance costs and may be worth considering over specialised proprietary solutions. Users should also consider the whole software and hardware requirement in calculating these costs. Different topologies and infrastructures may lead to radically different maintenance costs - even though individual elements are broadly similar.

Variable costs

Then there are the broader variable costs: management of upgrades, on-going maintenance, telecommunications, training and cost of downtime. These are much harder to evaluate as they bring into consideration elements such as management time, estimates of usage and utilisation of company resources that are often not easy to price. Since many of these costs are internal overheads they are often not considered. However, they do have an impact on the overall cost and effectiveness of a solution.

As an example of how these costs can and should be calculated, let us look at a routine firewall upgrade and maintenance process. Firstly, three software elements must be considered: the operating system, the firewall/VPN itself and the high availability/load management software. On average it takes over two hours to upgrade the OS, about the same for the firewall and about half an hour for the high availability software. In addition, engineers will spend, on average, about 16 hours identifying and testing the combination of these three sub-systems. Therefore, the first node will take over 21 man-hours to upgrade. Even allowing for faster implementation on subsequent nodes (we calculate approximately five hours per node) a typical upgrade of 10 firewalls will take almost nine days! The impact on TCO of this level of management overhead is obviously huge.

The 'price' of downtime

Whatever the 'price' of firewall downtime, these regular costs are a drain on resources that could be spent elsewhere. Moreover, as human resources are constrained there is an opportunity cost associated with spending this much time regularly upgrading systems. Two outcomes are likely: either essential maintenance and upgrades are postponed or ignored due to time pressure, or other tasks are put off pending its completion. All these issues have an impact on the total cost of a solution. Additionally, consider the list price of the hardware and software, look at annual maintenance costs and investigate the likely resources necessary for upgrades, how frequent these will need to be and what impact they will have on your IT management resource.

A defensive asset

Ultimately, any discussion of TCO feeds into an assessment of return on investment. The difficulty with calculating the value of a security solution, and therefore the ROI, is that it is essentially a defensive asset. Unlike other IT investments, or investments in people and other assets, it is difficult to show the value that has derived from it. You cannot calculate the value of not having a virus, nor the value of successfully avoiding hackers. The only indications you may be able to use are the damage done to similar businesses by such acts. This makes ROI less useful in these situations, but strengthens the case for TCO. The presentation of a well-conducted TCO analysis to backup investment decisions will go a long way in convincing senior management that money has been spent well and with foresight.

Nigel Rix
Nigel Rix

For more information contact Nigel Rix, regional director UK, Ireland and South Africa for Stonesoft Networks.

Stonesoft Networks are exhibiting at Infosecurity Europe 2004, which is Europe's number one IT security exhibition. The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27 to 29 April 2004. www.infosec.co.uk





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
From the editor's desk: A burning issue
Technews Publishing News & Events
      Welcome to the first publication from SMART Security Solutions devoted to the fire industry. In the BMI report, sponsored by the Elvey Group, released earlier this year, fire was the smallest component ...

Read more...
From the editor's desk: Keeping them out, keeping you aware
News & Events
Alarm, intrusion, and perimeter protection have been part and parcel of South African society for years. Many years ago, a home alarm consisted of wires covering one’s windows, which caused an alarm ...

Read more...
SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Workforce Consortium to reskill 95 million people
Editor's Choice News & Events AI & Data Analytics
ICT Workforce Consortium of global leaders has come together, committing to train and upskill 95 million people over the next 10 years, as 92% of jobs analysed are expected to undergo either high or moderate transformation due to advancements in AI.

Read more...
Tech Trailblazers seeks the most innovative and diverse investors in enterprise tech
News & Events
This year, the global enterprise tech startup awards, the Tech Trailblazers, is looking for the most innovative and diverse VCs as well as its usual hunt for groundbreaking tech start-ups.

Read more...
ONVIF standards drive growth in physical security market
News & Events
ONVIF has announced that more than 30 000 product models in the $120  billion global physical security market meet the ONVIF conformance requirements for interoperability.

Read more...
Western Digital reveals new solutions
Products & Solutions News & Events Infrastructure
Western Digital unveiled new solutions and technology demonstrations at the Future of Memory and Storage Conference 2024. The innovations cater to diverse market segments, from hyperscale cloud to automotive and consumer storage.

Read more...
Challenges in SMME financing and support
News & Events Financial (Industry)
In a step towards empowering small, medium, and micro enterprises (SMMEs), a recent forum was held in KwaZulu-Natal aimed at developing and growing SMMEs through public-private collaboration.

Read more...