The ROI for Security Training

Editorial note: I originally wrote this post for the ASPE blog.  You can check out the original here, at their site.  While you’re there, check out their catalog of online and in-person training courses.

When it comes to IT’s relationship with “the business,” the two tend to experience a healthy tension over budget.  At the risk of generalizing, IT tends to chase promising technologies, and the business tends to reign that in.  And so it should go, I think.

The IT industry moves quickly and demands constant innovation.  For IT pros to enjoy success, they must keep up, making sure to constantly understand a shifting landscape.  And they also operate under a constant directive to improve efficiency which, almost by definition, requires availing themselves of tools.  They may write these tools or they might purchase them, but they need them either way.  In a sense, you can think of IT as more investment-thirsty than most facets of business.

The business’s leadership then assumes the responsibility of tempering this innovation push.  This isn’t to say that the business stifles innovation.  Rather, it aims to discern between flights of fancy and responsible investments in tech.  As a software developer at heart, I understand the impulse to throw time and money at a cool technology first and figure out whether that made sense second.  The business, on the other hand, considers the latter sensibility first, and rightfully so.

A Tale of IT and the Business

Perhaps a story will serve as a tangible example to drive home the point.  As I mentioned, my career background involved software development first.  But eventually, I worked my way into leadership positions of increasing authority, ending up in a CIO role, running an IT department.

One day while serving in that capacity, the guy in charge of IT support came to me and suggested we switch data centers.  I made a snap judgement that we should probably do as he suggested, but doing so meant changing the budget enough that it required a conversation with the CFO and other members of the leadership team.

Anticipating their questions and likely pushback, I asked the IT support guy to put together a business case for making the switch.  “Explain it in terms of costs and benefits such that a non-technical person could understand,” I advised.

This proved surprisingly difficult for him.  He put together documentation talking about the relative rates of power failures, circuit redundancy, and other comparative data center statistics.  His argument in essence boiled down to one data center having superior specs than the other and vague proclamations about best practices.

I asked him to rework this argument, suggesting he articulate the business case using sort of a mad lib: “If we don’t make this change, we have a ______% chance of experiencing problem _______, which would cost $_______.”

This proved much more fruitful. We made the case to the CFO and then made the switch.

A Quick ROI Primer

In spite of my heavily IT background, in this role, I had come to represent the business.  I recognized that, absent a financial argument, I couldn’t justify the investment to my peers.  For those reading with a less business-centric background, let me define a term.

What I nibbled at with my mad lib was a business concept called “return on investment” or, commonly, ROI.  For a simple example, consider home heating and air conditioning.  Perhaps you spend $125 per month on climate control in your house, but you know that you could probably reduce that figure by finding and eliminating air leaks.  A vendor offers to do that for $1,000.  Should you pay him?

When you contemplate, you think terms of ROI and something called payback period.  If you spend $1,000 and the vendor saves you $50 per month off your bill, you can do some quick math.  After 20 months, you will have saved $1,000 and broken even, making 20 months your payback period.  If you then own the house for another 60 months after that, you realize a $3,000 return on your investment.

In business, anything you buy or spend time doing should have a justifiable ROI.  For IT folks, this means everything from spending time automating stuff to buying text editors to paying for training.

Thinking About Security Training ROI

And that brings us back to the titular concept of security training ROI.  Unfortunately, reasoning about the benefits of security training proves much harder than reasoning about a predictable reduction in your heating and air conditioning bills.

But its challenging nature shouldn’t mean that you avoid it.  Rather, it just means that you’ll have to work harder to reason about it.  And then you’ll subsequently have to approach making the case for it to others with a bit more creativity and deliberation.

If you work as a software developer, IT pro, or someone technically focused, making ROI cases provides powerful ammunition for getting what you seek.  But as a leader with a budget, this becomes even more essential.  It lets you justify your spending decisions to peers and superiors, and it also lets you feel comfortable that you’re helping the business.

So how do you do it for security training ROI?  How do you justify something relatively indirect like this?

Simple Considerations

First of all, you might have some relatively obvious benefits to realize.  Consider, for instance, the case where you have a business opportunity.  Compliance with key standards, like HIPAA, often demands certain approaches to security.

Thinking through security training ROI then means thinking what it costs to send your people weighed against the business opportunity.  What if you could offer HIPAA (or similar) compliance?  Could you win new contracts?  Or could you expand your business decisively?  Could you charge more for existing services?

Here, you can easily do some math to forecast the revenue associated with compliance.  Then it becomes a simple matter of weighing this against the cost to train your people for compliance.

Think Like Insurance Customers

But even if you lack immediately obvious compliance opportunities, you can still make the case for security training ROI.  After all, millions of people buy insurance without necessarily stopping to consider ROI.  And that’s probably good because insurance, almost by definition, has poor ROI.

That may seem crazy, but think of how insurance companies make money.  They write policies in such a way that the average person gets out roughly what they put in, making customer ROI effectively zero.  And yet, people still voluntarily invest.

Why?  Peace of mind.  The same holds true for taking security measures within a company.  So in cases with hard-to-quantify ROI, reason instead about effort and peace of mind.  What can staff do when they don’t have to worry about security, respond to breaches, and repair damaged reputation?  And regardless of expectation, don’t you want to cover yourself against complete catastrophe, a la insurance?

The Personnel/Morale Angle

I’ll mention one final, subtle angle.  The IT industry makes a home for millions of creative, intelligent, and proud human beings.  And since they receive nice compensation, they draw motivation from sources beyond money, such as mastery, autonomy, and purpose.

Well, training scratches those itches.  Many companies have skill improvement/training budgets for a reason, and that reason goes beyond simple dollars-in-dollars-out concerns.  Employees want to improve, and they also want to feel that their company values them enough to invest in them.

So as you think through and make the case for security training ROI, think about the effect it might have on morale and job satisfaction among the people who will receive the training and apply it to the organization.  Even a tiny increase in morale means a boost in efficiency for the company.  Many people making business cases forget these types of concerns; I encourage you not to.

Money Well Spent

As I said in the beginning of the post, IT tends to go after innovation; the business tends to reel IT in, asking for justifications.  You need this dynamic to ensure that you spend money wisely, and the business case serves as the embodiment of the dynamic.

When it comes to leveling up IT staff security, you may find the business case somewhat abstract at first.  But don’t let that deter you.  Once you master the subtle concepts in play, the actual business justification becomes easy to make.  Security breaches can devastate your business from all kinds of angles, so arming folks in the organization for prevention will be money well spent.