Return on TCO: why measure the cost of security?

December 2003 News & Events

Total cost of ownership (TCO) is not a new concept. Management teams at all levels have always wanted to define the real cost of resources in order to plan and manage budgets, but the pressures of today’s business environment have raised the profile of TCO once again. Boards are keen to measure the lifetime cost of virtually every asset and resource and calculate return on every investment – but how do you measure the value of security?

The equation of cost versus benefit becomes extremely difficult to solve when dealing with security. What price should an organisation put on the security of its systems? And what cost is justified in ensuring that these systems are continuously available and functioning? Not only are the risks of failure very high, but the complexity of the calculation across multiple sites, technologies and implementations that comprise a business' security infrastructure is significant.

The most common response to the above is to say you cannot put a cost on security - so people do not and TCO calculations are not applied. However, recent calculations have shown that this lack of transparency has led many businesses to massively over-pay for security and to become lax in the management of ongoing costs in this area.

Knowing TCO - a complex process

TCO seeks to define the total cost of an asset or resource over its lifetime, including initial purchase price, support contracts, servicing, upgrades, associated consumables and human resources to manage it. Analyst firm Gartner introduced the term over 15 years ago and since then it has been most commonly applied to computer systems and the related consumable materials (ink, toner, paper, etc). However, the concept is now being broadened to include almost every investment. Knowing the TCO is a vital first step in demonstrating to finance departments that money is being well spent.

The problem is that it is very complicated to measure TCO and there are few agreed approaches. With complex systems such as security and firewall implementations, it is not always clear what to measure and how. The first step is, therefore, to define what you need to measure in order to calculate TCO. We have divided the various costs into two groups: fixed and variable.

Fixed costs

Fixed costs are attached to the hardware, software and related support and maintenance contracts. Usually, these are all 'up-front' costs incurred at the time of the initial investment, including dedicated servers, firewall software and maintenance contracts. They are therefore easy to calculate and can also be spread across the life of the implementation for the purposes of the TCO calculation.

They also include annual maintenance costs charged by vendors and these can vary widely. Standard products based on the IBM/Intel platform tend to have lower annual maintenance costs and may be worth considering over specialised proprietary solutions. Users should also consider the whole software and hardware requirement in calculating these costs. Different topologies and infrastructures may lead to radically different maintenance costs - even though individual elements are broadly similar.

Variable costs

Then there are the broader variable costs: management of upgrades, on-going maintenance, telecommunications, training and cost of downtime. These are much harder to evaluate as they bring into consideration elements such as management time, estimates of usage and utilisation of company resources that are often not easy to price. Since many of these costs are internal overheads they are often not considered. However, they do have an impact on the overall cost and effectiveness of a solution.

As an example of how these costs can and should be calculated, let us look at a routine firewall upgrade and maintenance process. Firstly, three software elements must be considered: the operating system, the firewall/VPN itself and the high availability/load management software. On average it takes over two hours to upgrade the OS, about the same for the firewall and about half an hour for the high availability software. In addition, engineers will spend, on average, about 16 hours identifying and testing the combination of these three sub-systems. Therefore, the first node will take over 21 man-hours to upgrade. Even allowing for faster implementation on subsequent nodes (we calculate approximately five hours per node) a typical upgrade of 10 firewalls will take almost nine days! The impact on TCO of this level of management overhead is obviously huge.

The 'price' of downtime

Whatever the 'price' of firewall downtime, these regular costs are a drain on resources that could be spent elsewhere. Moreover, as human resources are constrained there is an opportunity cost associated with spending this much time regularly upgrading systems. Two outcomes are likely: either essential maintenance and upgrades are postponed or ignored due to time pressure, or other tasks are put off pending its completion. All these issues have an impact on the total cost of a solution. Additionally, consider the list price of the hardware and software, look at annual maintenance costs and investigate the likely resources necessary for upgrades, how frequent these will need to be and what impact they will have on your IT management resource.

A defensive asset

Ultimately, any discussion of TCO feeds into an assessment of return on investment. The difficulty with calculating the value of a security solution, and therefore the ROI, is that it is essentially a defensive asset. Unlike other IT investments, or investments in people and other assets, it is difficult to show the value that has derived from it. You cannot calculate the value of not having a virus, nor the value of successfully avoiding hackers. The only indications you may be able to use are the damage done to similar businesses by such acts. This makes ROI less useful in these situations, but strengthens the case for TCO. The presentation of a well-conducted TCO analysis to backup investment decisions will go a long way in convincing senior management that money has been spent well and with foresight.

Nigel Rix
Nigel Rix

For more information contact Nigel Rix, regional director UK, Ireland and South Africa for Stonesoft Networks.

Stonesoft Networks are exhibiting at Infosecurity Europe 2004, which is Europe's number one IT security exhibition. The event brings together professionals interested in IT security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27 to 29 April 2004. www.infosec.co.uk





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
From the editor's desk: Showtime for Securex
Technews Publishing News & Events
We have once again reached the time of year when the security industry focuses on Securex. This issue includes a short preview, with more coming online and via our special Securex Preview news briefs. ...

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Igniting standards, powering protection
Securex South Africa News & Events Fire & Safety
Fire safety is more than compliance, it is a critical commitment to protecting lives, assets, and infrastructure. At Firexpo 2025, taking place from 3 to 5 June at Gallagher Convention Centre, that commitment takes centre stage.

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
From the editor's desk: We’ve only just begun
Technews Publishing News & Events
The surveillance market has expanded far beyond the analogue days of just recording and/or monitoring screens. The capabilities of surveillance technology today extend to black screen monitoring with ...

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
Strong industry ties set Securex South Africa apart
News & Events Training & Education
Securex South Africa, co-located with A-OSH EXPO, Facilities Management Expo, and Firexpo, is a meeting place of minds, where leading security, safety, fire, and facilities professionals come together, backed by strong ties with the industry’s most influential bodies.

Read more...