Measuring the ROI of Security Training

Marc Winner hasn’t come up with a way to precisely measure the return on investment for security training. What he does know for certain, however, is that the $100,000 or so that his company spends annually to keep employees on their toes is part of the price of operating in the web security space.

According to Winner, director of information technology and information assurance at WhiteHat Security, questioning whether or not to invest in security training is a bit like asking whether or not his Santa Clara, California-based company wants to stay in business. After all, clients, some of them Fortune 500 companies that stand to lose millions per successful attack, don’t want to work with service providers that fail to properly train their own staff.

“I don’t have a real hard number that I could say I put in 100k and my ROI was 250k,” he acknowledges, adding that all of the company’s workers receive security training specific to their job functions. “I don’t have that kind of a number. But I can say with a straight face that if I didn’t do it, we wouldn’t be getting the [contracts] that we get.”

Measuring the ROI for training isn’t as easy as it might appear to be. Victor Nappe, chief executive officer of SECNAP Network Security, agrees and also insists that regulations governing some industries actually override ROI considerations.

SECNAP, a boutique cyber security company based in Boca Raton, Florida, develops and provides next-generation IT solutions that enable businesses to operate securely and privately online.

According to CEO Nappe, whose company was founded in 2001 and has just under 50 workers, ROI, at the best of times, can be hard to nail down. Furthermore, laws governing some sectors are such that companies tend to be more focused on compliance to avoid possible fines and/or jail time than on ROI.

“In healthcare, where we’re actually very focused, the laws that are now being passed and [that] have been passed are so strong that the ROI is thrown out the window,” says Nappe, an Internet entrepreneur and e-commerce professional specializing in technology, mergers and acquisitions, and venture capital. He adds that this is the case because “by not having security you not only subject your company to [possible] fines, but you subject yourself to [possible] jail time as an officer of a healthcare records company…”

Click here for a PDF of the complete article.