A Case Study: Demonstrated ROI Isn't Everything

A CASE STUDY: DEMONSTRATED ROI ISN'T EVERYTHING
By Dr. Larry Ponemon

When evaluating ROI, consider that quantifiable results often can't
be demonstrated for security, as more than one company has learned.

Illustrating that is the story of "Papa Lopez." Founded nearly 30
years ago by an immigrant with little cash, the line of Mexican food
products grew from a generations-old secret recipe for salsa.

Years later, his daughter, a Wharton business school graduate,
assumed control of the successful company, whose products crowded
grocery store shelves. A respected consultant, Maria excelled in
one-to-one customer marketing strategies.

Maria's first step was meeting with the senior management team to
announce some major changes; instead of marketing only to
distributors and supermarkets, the company would target consumers
directly. Papa Lopez acquired mailing lists to directly reach out to
new prospective customers and soon had a large U.S. customer
database.

The CIO proposed an IT budget for the next fiscal year, including
investment proposals for customer relationship management (CRM), a
network wireless communications configuration to support the sales
force and business partners, and recommendations for critical
infrastructure controls for information security.

He easily completed a rigorous analysis for the CRM and network
wireless communications proposals. However, security was almost
impossible to define in ROI terms. As a consequence, Maria and the
board authorized the CRM and network improvements, but not the
security safeguards.

Maria began rewarding employees who came up with innovative ways to
increase sales. One suggestion merged Papa Lopez's database with that
of a pharmaceutical company when a medical study showed a strong
corollary between people with digestive problems and consumers of
spicy foods.

Then lightening struck.

Papa Lopez's database was hacked. All customer records, which
included the names, addresses and credit card information, were
compromised. The database also included the customer list from the
retail pharmaceutical company's database.

The CIO explained to Maria that the company's outsourced CRM
application resided on an extranet platform and provided numerous
direct avenues to the database. To improve productivity, the sales
force and business partners could use PDAs to quickly check customer
profiles and specific market segments.

The absence of a contingency plan meant the hacking issues didn't go
away; it was weeks before perimeter controls and an IDS could be put
in place.

Later, Maria received a letter from India that informed her that the
secret salsa recipe that had been in her family for more than 200
years was now in someone's hands in Hyderabad. The writer warned that
unless she paid a significant ransom, the recipe would be handed over
to a competitor.

Making matters worse, Maria received notice from the California
Attorney General's office stating that Papa Lopez could be charged
with criminal violations under SB 1386, which mandates that companies
disclose security breaches that compromise certain personally
identifiable information of California residents.

Customers of the pharmaceutical company began receiving e-mail
messages from companies they never had a relationship with. Many
suspected that their personal health data had been stolen and began
to take legal action.

Maria's sales dropped 50%. The board blamed the decrease in revenues
on negative publicity.

Developing a precise ROI for security is a challenge for IT
departments because security affects many different business
activities and areas of an organization. The challenge is to
understand the interrelationships between a company's IT
infrastructure and various business processes.

In this case, a company's CRM application created new security risks
for Papa Lopez. The CIO wasn't able to provide the company's board of
directors with the true costs of the security needed to protect the
customer database or the opportunity costs that would result if a
security breach occurred. As a result, the board didn't approve his
budget request. If he'd been able to demonstrate the ROI, he would
have been able to turn a security threat into an opportunity and
demonstrate the value of a strong IT function to a company's success.

Dr. Larry Ponemon is chairman and founder of the Ponemon Institute,
an organization focused on the development of privacy audits, privacy
risk management and ethical information management.

View Responses (22) Post Response

Copyright 2003-2004 DGKL, Inc.

For information on reproducting articles on this site, visit http://www.esecurityguy.com/reproduction