Measuring the ROI of Security Training
Marc Winner hasn’t come up with a way to precisely measure the return on investment for security training. What he does know for certain, however, is that the $100,000 or so that his company spends annually to keep employees on their toes is part of the price of operating in the web security space.
According to Winner, director of information technology and information assurance at WhiteHat Security, questioning whether or not to invest in security training is a bit like asking whether or not his Santa Clara, California-based company wants to stay in business. After all, clients, some of them Fortune 500 companies that stand to lose millions per successful attack, don’t want to work with service providers that fail to properly train their own staff.
“I don’t have a real hard number that I could say I put in 100k and my ROI was 250k,” he acknowledges, adding that all of the company’s workers receive security training specific to their job functions. “I don’t have that kind of a number. But I can say with a straight face that if I didn’t do it, we wouldn’t be getting the [contracts] that we get.”
According to CEO Nappe, whose company was founded in 2001 and has just under 50 workers, ROI, at the best of times, can be hard to nail down. Furthermore, laws governing some sectors are such that companies tend to be more focused on compliance to avoid possible fines and/or jail time than on ROI.
“In healthcare, where we’re actually very focused, the laws that are now being passed and [that] have been passed are so strong that the ROI is thrown out the window,” says Nappe, an Internet entrepreneur and e-commerce professional specializing in technology, mergers and acquisitions, and venture capital. He adds that this is the case because “by not having security you not only subject your company to [possible] fines, but you subject yourself to [possible] jail time as an officer of a healthcare records company…”
Click here for a PDF of the complete article.