Encryption ROI
Investing in encryption is a necessity for certain verticals, but tangible return on investment (ROI) can be difficult to determine. So how can you tell if your efforts are paying off? "Applying typical risk management methodologies to security often fails," believes Martin. "In the risk management model you define a risk to be a probability of an event multiplied by the loss you get if that event happens. In security, you really do not know the chance of the loss. It is very had to get anywhere close to an accurate estimate. If you get hacked-what is the loss that comes with that? If you apply the classic risk management model to security it often produces puzzling results." In support of his point, Martin cites David Soo Hoo, a Stanford University Ph.D. who analyzed the ROI for various security technologies with some surprising results. "Soo Hoo's study reveals that organizations should not run a firewall, but that you should encrypt-because your data is everything and encryption is an easy way to protect it. "Nobody is going to say: 'yes, let's tear out our firewall because this analysis says we should'. You are really managing uncertainty with security more than risk."
Because financial services, healthcare and government are so heavily regulated, encryption becomes a cost of doing business, but what of other industries? "Others will only resort to encryption if something in particular has happened," says Elgamal. "Another set are companies that share intellectual property between them and other entities, perhaps overseas for example, and they need to exchange information. The ROI on something like that is fairly simple, if the intellectual property leaks out you potentially have lost hundreds of millions. There have been a lot of examples of that. However, the reality is that most people wait until something happens first."
The cost-benefit of encryption can be found in reducing risk. "Usually the ROI is based on the costs of the potential exposure," states Kennedy. He says the numbers quickly add up when considering fines and penalties associated with the myriad of different state and federal regulations, the brand damage costs associated with embarrassing incidents being reported, the real costs of corporate espionage risks, and the exposure to lawsuits from employees and customers for mishandling of sensitive communications. "Exposure is simply unknown and limitless, as email continues to become the lifeline of businesses today. Avoiding this exposure means either reverting to FAX and express postal delivery or implementing email encryption. Most businesses understand the benefits of email, so email encryption is the enabling path to accelerating business while limiting exposure."
Dasher acknowledges that trying to determine encryption ROI has been tricky. But notes that it is getting easier to quantify the cost of a breach. "Buying, deploying and maintaining a sound security platform is far cheaper than dealing with a breach. It is not even a contest. Another interesting outcome from this year's Ponemon study is they are now able to see, quantifiable customer turnover due to a breach. It is no longer about just the IT guy, or the security guys saying we have to do this for compliance. Now it is the VP of marketing or CMO saying: 'I may not understand this stuff, but the last thing I want to spend precious marketing dollars on is brand damage'." Indeed the recent Ponemon Institute study reports that "increased customer churn rates help drive lost business costs higher. In 2007, the average resulting abnormal customer churn rate was 2.67 percent, an increase from 2.01 percent in 2006. Greater customer turnover leads to lower revenues and a higher cost of new customer acquisition resulting from increased marketing to recover lost customer business." The survey went on to reveal that "trust may be intangible and hard to quantify, but the result of breaking that trust is clear as the cost of lost business grew more than 30 percent since 2006."
Encrypting Data
Encryption Drivers |
Encrypting Data |
Encryption ROI |
Moving Forward |
Cost of a Data Breach |
Data Loss Prevention and Encryption