Question: How do you define the cost of security?

Richard Lefler, former CSO, American Express, Dean of Faculty, Security Executive Council: The traditional measurement of security costs includes operating costs, capital investments that measure what a company spends to protect its employees, brand reputation and often, customer relationships.

Businesspeople are trained to analyze the return that a given investment will yield, and often, if that investment does not meet the company “hurdle rate,” the investment is not made.

Measuring security returns is difficult for businesspeople because security programs prevent problems and financial losses (often measured as variable costs). So how do we measure the absence of a problem as a worthy return on investment?

One idea that seems to be resonating is to do risk assessment relative to the security exposures the company faces in achieving its business goals. Then design mitigation programs to offset specific risks that cannot be managed with other risk management solutions like, for example, insurance.

In effect, this shifts the focus to managing the risk exposure, instead of managing the cost.

Bob Hayes, Managing Director, Security Executive Council: During any persuasive executive presentation on security programming or initiatives, you can count on being asked how your idea or proposal compares to others in the industry and how the cost compares to your peers’. For decades, this has been problematic because of a total lack of common industry benchmarks and information sharing. There is no area in which this lack of shared definition is more evident than in determining the cost of security.

To complicate matters even further, there has never been more intense interest on management’s part in understanding and comparing these costs. This is due in part to the significant increases in total security budgets (often due to consolidating functions/services into security) in many companies over the last 10 years.

There is now an opportunity to participate an initiative underway to define and establish benchmarks for the “Total Cost of Security.” It will be the first to account for costs associated with individual programs/services by facility, location, country, business unit, differing cost centers and other organizational variances. To receive the results of this groundbreaking research, you must participate.