Forwarded from: Richard Caasi <caasi@private> http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15600902&_loopback=1 By Bob Violino Secure Enterprise October 29, 2003 When Lew Wagner, chief information security officer of the M.D. Anderson Cancer Center at the University of Texas, began to build a business case for investing hundreds of thousands of dollars in technology to help thwart spam and viruses, he took it a step further than most IT shops. Realizing that calculating the value of reduced risk is a murky arena often riddled with holes and question marks, Wagner sought concrete return-on-investment metrics to boost his argument. "The ROI perspective comes from the fact that if you have impact against your IT and network resources, it results in downtime and lost ability to get things done," Wagner says. Spam has been particularly costly. Wagner says the hospital and research institution's 13,000 employees would have received up to 25,000 spam messages per day had it not been for a spam-prevention service implemented earlier this year. In June alone, the service detected and blocked enough spam to account for more than half of all the messages received. Wagner says spam threatened not only network performance but also worker productivity. He estimates that it costs the medical center $1 for each unwanted mail message that gets through to users' computers. He figures the Houston medical center receives about 620,000 spam messages during an average month, so successfully blocking them would theoretically free up $620,000 for other activities. Wagner's figures are derived from independent studies on the cost of cleanup and the center's own experience. "We know we've been hit a certain number of times in the past," Wagner says. "We know we will have so many virus and service attacks, and we know how much it costs to fight them." Crunching The Numbers Analysts are mixed on whether Wagner's cost-per-spam figure overstates the problem. Chris Williams, an analyst at Ferris Research, says users don't spend enough time clearing their inboxes to warrant such a high estimate. Still, he doesn't dispute that spam is a costly problem. Spam will cost U.S. businesses $10 billion in 2003--the result of lower productivity, loss of legitimate messages and the need for increased bandwidth and storage, according to Williams' research. The $1-per-spam estimate may represent the far right of the spectrum, but it's conceivable, says analyst Rebecca Wettemann of Nucleus Research. Spam costs U.S. companies $874 per employee per year in lost productivity, based on hourly pay of $30 and a work year of 2,080 hours, according to a recent Nucleus report. "There are a number of factors involved with spam, and the impact is different for every organization," Wettemann says. Virus Attacks Viruses are also a major problem for M.D. Anderson, which at one time was being bombarded by at least one serious virus attack--Klez, MyParty.com and Nimbda, for instance--every month. Based on what it cost to clean up the Nimbda outbreak in September 2001, Wagner estimates virus-cleanup costs at roughly $1 million per outbreak. "We knew that if we could stop spam and viruses from coming into our network, we could free up money for research on new cancer-fighting drugs, to treat more patients, and for revenue-generating purposes and new projects," Wagner says. Preventing the losses was part of Wagner's business case for buying security products, such as network- and server-level antivirus and antispam software from Trend Micro and a Web-based vulnerability- detection tool called WebInspect from SPIDynamics. The Trend Micro antivirus package, which cost $150,000 plus $20,000 in annual maintenance fees, is stopping thousands of viruses each month from reaching the medical center's computers, Wagner says. "I could tell the CFO that we were freeing up $12 million with a $150,000 investment," Wagner says. "We are in a sense creating revenue by freeing up money that would have been otherwise wasted. That's a very compelling ROI argument." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 31 2003 - 05:29:19 PST