The Secret to Getting a Return on Your Annual Security Investment
Posted on Tue, Aug 31, 2010
For more than 2,500 years a very interesting group of people called alchemists had spent their lives searching for the secret of turning lead into gold. Today a similar challenge seems to exist in the security industry. Many security leaders spend their careers searching for the secret of turning expensive security measures into a return on investment or ROI. So what is the secret that eludes so many? How can a security leader prove to the organization that the annual expenses being consumed by the security department are generating return for the business?
It turns out that the secret to getting a return on your annual security maintenance investment is to perform the maintenance before the equipment fails. If you already knew this, congratulations, you are one of the select few.
Why Is It So Secret?
Frankly, it’s not really that much of a secret. In fact, anyone who performs annual preventative maintenance on their security system is getting an increased ROI from their investment. The problem is that many organizations find it difficult to measure the ROI of security, especially security equipment maintenance, in a meaningful way.
Many organizations will compare the costs associated with the repair of a system after a failure with that of annual maintenance costs and conclude that it’s cheaper to just wait and fix the system when it fails. But this thinking is not only ignoring a major cost influencing factor, but it’s dangerous to the security and stability of the organization, its people and its assets.
What Is The Major Cost That Is Being Ignored?
By comparing only the cost of repair vs. maintenance, the organization is failing to recognize the cost of a system failure. By performing repairs only when system components fail, the organization is increasing its risk. If your organization has a Risk Management department, go ask them how much increasing risk costs. The answer may make your head spin.
The cost of increased risk can be measured in a variety of ways, but two of the most common are based on 1) the cost and likelihood of an average security breach and 2) how the lack of maintenance affects the organization’s liability.
The Cost of a Security Failure
How much do you think a security failure costs you? If your access control system fails and locks out all of your employees, how long will it take you to repair the problem and allow those employees to be productive again? 2 hours? 8 hours? 2 days? How much does that lost productivity cost you? Alternately, if your security system isn’t working because it’s not securing the property, when do you think you’ll find out? Will it be after someone enters the property and carries off a laptop or two? Or worse, what if your intellectual property or confidential records are exposed? How much would that cost your organization?
Let’s assume that without maintenance, your system would fail about once a year, on average, costing you $300 in repairs. Let’s also assume that preventative maintenance would reduce that failure rate to once every 5 years, but costs $600 per year. If you use just these figures, over a course of 5 years the comparison might look something like this: $300 x 5 = $1,500 for break-fix repairs; $600 x 5 + $300 (the cost to repair one failure) = $3,300 for maintenance.
Most people would stop right there and say that maintenance is almost twice the cost of repairs. But they’re only seeing half the picture. Let’s say that the security failure creates 2 hours of lost productivity for 10 employees. Each of these employees is paid $50/hour, but gets no work done during the failure. Now the calculations look something like this: ($300 + $500) x 5 = $4,000 for break-fix repairs; $600 x 5 + ($300 + $500) = $3,800. Now maintenance is looking more attractive.
Of course, lost wages are only a small portion of the cost of a security failure. A failure can also incur the cost of lost opportunity to make money, the cost of damages or loss of property and the cost of loss in brand equity or the damage to your organization’s reputation. All of these are real costs that should be included in your ROI calculations.
Liability
But there is a greater cost that’s even harder to calculate, that of liability. Legal precedent has been set, especially in commercial/retail and real estate industries, that if an individual is using your property and there is a security system installed, that individual can expect a certain level of security to be maintained. If the organization fails to provide that level of security and an incident occurs, that organization may be liable for damages because they failed to provide that expected level of security.
By proactively maintaining your system, you not only reduce the likelihood of an incident, you also help protect yourself against costly liability by doing everything in your power to provide the level of security your clients or employees should expect.
The Secret to Maximizing Security Maintenance ROI
So what’s the secret? Proactively maintain your system. By doing so, you’ll be able to reduce the number of security incidents and failures that occur in the long run, and each incident carries a number of costs with it. Additionally, you can increase your ROI even more by being proactively prepared to react to a security incident or failure in order to minimize the impact of the event.
If you haven’t been measuring, tracking or estimating these costs and using them in your ROI calculations to management, you could be missing part of the picture. This leads to a question for each of you: what are you including in your ROI calculations? (P.S.: If the answer is nothing, because you’re not measuring ROI for your security, you really need to start ASAP!
On a Related Note
If you’re interested in learning more about minimizing the cost of a security incident or failure, you should read our newest whitepaper “The Cost of Failure: Advice from an Expert on How to Minimize the Impact of a Critical System Collapse.”