Showing a return on

By Bob Violino  |  Posted 2008-01-09 Print this article Print

Baseline spoke with Gilbert about the process he used to establish the Alstom security program and how he justifies investments in security.

security investment">

How do you show a return on security investment?

Finding ROI is an evolutionary process. Each business may or may not have an idea of what type of metrics it wants to see, so it's the IT security professional's job to figure that out. The first thing is to report something. Sure, you've invested heavily in an information security program and you haven't suffered any major breaches or virus outbreaks, so what's there to say? It's imperative to keep the upper echelon informed of what hasn't happened.

Some examples on the technical side could be how many viruses were discovered and attacks prevented; how many attacks against the firewall were unsuccessful; the IDS/IPS reports; desktop, laptop, server patching statistics; how much spam was removed; statistics on malware/spyware removal; statistics from penetration and vulnerability testing. Clearly showing that security is being proactive is the key.

That's the easy part. The challenge comes when you have to translate all these great technical metrics into business language. Show time savings by allowing workers to be more productive and worry less about the myriad possible security issues. You have to connect the IT audit process with the business audit requirements. This helps in showing how IT security is enhancing and protecting the business. Build an annual "state of information security report" with both the technical and business data. This will ensure that IT security is getting the visibility it needs. Other examples include focusing on possible loss of business through reputation damage, legal action and privacy breach. These can also be calculated and shown in the ROI.

A survey conducted earlier this year by CompTIA showed that 62 percent of organizations have developed a comprehensive written IT security policy, compared with 47 percent two years ago. How important is it to have a written policy?

We have a written policy and I would agree that there is an understandable trend for organizations to create one if they are lacking. However, every industry is different and clearly some are more convinced than others of the need for a comprehensive written IT security policy.

How important is it to train employees in the need for diligence in information security?

Employee training is an important element in the overall information security strategy. Protecting users with technology is only the first part. Educating users on what to do—and what not to do—also plays a significant role. Taking the extra time to put a reason behind a control goes a long way in helping the user understand why a protective measure is in place.

What did you do while at the U.S. Department of Defense and how did that help you prepare for your role at Alstom Transport?

My very first job was with the DoD as a U.S. Army military policeman, so security has always been of great interest to me. I've worked as a computer specialist, IT manager, IT director, CISO and CIO within the DoD and NATO community. Each job has played a fundamental part in my overall development as an IT professional. Having all these different positions and experiences, and having to lead teams of diverse individuals from many different countries, really gives a person a unique perspective. With an enterprise as varied as Alstom Transport, experience in the international community was very helpful, as was my diverse background in IT systems, IT networking, information security, customer service and IT management.

What do you see as some of the biggest threats to corporate security today?

The answer really comes down to the type of information technology program you are trying to run. Are you more openminded? Or is security a top priority? Clearly the level of security can be adjusted to any particular type of business or enterprise. Identifying the level of risk the organization is willing to accept gives you a good starting point. Taking control of the business aspects and keeping personnel trained and aware is more than half the battle. Starting with common-sense policies, procedures, access controls, audit functions, data protection and technical controls all play an integral part in being proactive and mitigating threats.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.