Firewalls have come a long way in the past 20 years, driven in part by the rising uptake of IP communications, itself driven by the IT phenomenon that is the Internet.
When the first firewalls were introduced in the late 1980s, few people foresaw that rule sets would become so large and complex, often containing hundreds of rules.
On top of this, the multi-vectored nature of the latest hacker attacks means that most organizations now need more than one firewall to protect perimeters, as well as sensitive internal network segments.
Multiplying the exponential growth of the number of rules across numerous firewalls makes managing rule sets an extremely difficult -- if not impossible -- task for medium to large organizations.
And this is where a security return on investment (ROI) framework analysis becomes necessary.
A security ROI framework analysis helps company managers and executives improve their overall security efforts more efficiently and cost-effectively.
In simple terms, the analysis quantifies projected ROI for security investments by investigating the potential financial impact of security situations across the enterprise's business segments.
A good analysis achieves this by quantifying the potential impact of security risk exposure on cash flow.
The resulting framework illustrates to enterprises the value of a high-level comparison of security programs versus other enterprise initiatives, while at the same time providing insight into the projected final impact of a given project.
A good analysis also focuses on the optimal areas for organizations to allocate their security expenditure based on cost, effectiveness and impact/potential impact on the business.
Creating a security ROI framework that provides an economical and effective security solution requires a number of steps and assessments, all of which are designed to help ensure accuracy and effectiveness.
The Analysis Process in Stages
The first stage in the process is to understand current threats and vulnerabilities to your organization by undertaking a formal assessment, including analyzing past attacks based on industry estimates and statistics.
The second stage, known as security incident characterization, defines the cost impact of security incidents on the organization, which can be categorized as network or business impacts.
The third stage is to assess the cost impacts on your organization:
Next Page: Taking It Further