printer friendly version

Return on TCO: why measure the cost of security?

Total cost of ownership (TCO) is not a new concept. Management teams at all levels have always wanted to define the real cost of resources in order to plan and manage budgets, but the pressures of today’s business environment have raised the profile of TCO once again. Boards are keen to measure the lifetime cost of virtually every asset and resource and calculate return on every investment – but how do you measure the value of security?

The equation of cost versus benefit becomes extremely difficult to solve when dealing with security. What price should an organisation put on the security of its systems? And what cost is justified in ensuring that these systems are continuously available and functioning? Not only are the risks of failure very high, but the complexity of the calculation across multiple sites, technologies and implementations that comprise a business' security infrastructure is significant.

The most common response to the above is to say you cannot put a cost on security - so people do not and TCO calculations are not applied. However, recent calculations have shown that this lack of transparency has led many businesses to massively over-pay for security and to become lax in the management of ongoing costs in this area.

Knowing TCO - a complex process

TCO seeks to define the total cost of an asset or resource over its lifetime, including initial purchase price, support contracts, servicing, upgrades, associated consumables and human resources to manage it. Analyst firm Gartner introduced the term over 15 years ago and since then it has been most commonly applied to computer systems and the related consumable materials (ink, toner, paper, etc). However, the concept is now being broadened to include almost every investment. Knowing the TCO is a vital first step in demonstrating to finance departments that money is being well spent.

The problem is that it is very complicated to measure TCO and there are few agreed approaches. With complex systems such as security and firewall implementations, it is not always clear what to measure and how. The first step is, therefore, to define what you need to measure in order to calculate TCO. We have divided the various costs into two groups: fixed and variable.

Fixed costs

Fixed costs are attached to the hardware, software and related support and maintenance contracts. Usually, these are all 'up-front' costs incurred at the time of the initial investment, including dedicated servers, firewall software and maintenance contracts. They are therefore easy to calculate and can also be spread across the life of the implementation for the purposes of the TCO calculation.

They also include annual maintenance costs charged by vendors and these can vary widely. Standard products based on the IBM/Intel platform tend to have lower annual maintenance costs and may be worth considering over specialised proprietary solutions. Users should also consider the whole software and hardware requirement in calculating these costs. Different topologies and infrastructures may lead to radically different maintenance costs - even though individual elements are broadly similar.

Variable costs

Then there are the broader variable costs: management of upgrades, on-going maintenance, telecommunications, training and cost of downtime. These are much harder to evaluate as they bring into consideration elements such as management time, estimates of usage and utilisation of company resources that are often not easy to price. Since many of these costs are internal overheads they are often not considered. However, they do have an impact on the overall cost and effectiveness of a solution.

As an example of how these costs can and should be calculated, let us look at a routine firewall upgrade and maintenance process. Firstly, three software elements must be considered: the operating system, the firewall/VPN itself and the high availability/load management software. On average it takes over two hours to upgrade the OS, about the same for the firewall and about half an hour for the high availability software. In addition, engineers will spend, on average, about 16 hours identifying and testing the combination of these three sub-systems. Therefore, the first node will take over 21 man-hours to upgrade. Even allowing for faster implementation on subsequent nodes (we calculate approximately five hours per node) a typical upgrade of 10 firewalls will take almost nine days! The impact on TCO of this level of management overhead is obviously huge.

The 'price' of downtime

Whatever the 'price' of firewall downtime, these regular costs are a drain on resources that could be spent elsewhere. Moreover, as human resources are constrained there is an opportunity cost associated with spending this much time regularly upgrading systems. Two outcomes are likely: either essential maintenance and upgrades are postponed or ignored due to time pressure, or other tasks are put off pending its completion. All these issues have an impact on the total cost of a solution. Additionally, consider the list price of the hardware and software, look at annual maintenance costs and investigate the likely resources necessary for upgrades, how frequent these will need to be and what impact they will have on your IT management resource.

A defensive asset

Ultimately, any discussion of TCO feeds into an assessment of return on investment. The difficulty with calculating the value of a security solution, and therefore the ROI, is that it is essentially a defensive asset. Unlike other IT investments, or investments in people and other assets, it is difficult to show the value that has derived from it. You cannot calculate the value of not having a virus, nor the value of successfully avoiding hackers. The only indications you may be able to use are the damage done to similar businesses by such acts. This makes ROI less useful in these situations, but strengthens the case for TCO. The presentation of a well-conducted TCO analysis to backup investment decisions will go a long way in convincing senior management that money has been spent well and with foresight.

Nigel Rix

For more information contact Nigel Rix, regional director UK, Ireland and South Africa for Stonesoft Networks.

Stonesoft Networks are exhibiting at Infosecurity Europe 2004, which is Europe's number one IT security exhibition. The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27 to 29 April 2004. www.infosec.co.uk

Share this article:

Further reading: