In today’s corporate environment, information security is an important concern and organisations are seeing their security expenditure spiraling upwards. Neville Madan, CFO, Mahindra Special Services Group, speaks to Biztech2.0 and elaborates on the concept of tangible RoI on Information security expenditure.

Where does security stand from a CFO viewpoint?

From a CFO’s point of view, security is an important concern. In today’s scenario information needs to be protected from your competition as well as your competitors. I feel as a CFO you need to spend adequately on information security.

Is it possible to measure tangible RoI on information security, as it's not a revenue generating process?

Yes, I do feel that you can actually calculate the RoI on information security spends. You need to look at this problem from two different angles. One of which is a People-Process-Technology standpoint. You look at the security spends as an investment into improving an organisation’s workforce, business processes and technology infrastructure. The other viewpoint is that of maintaining a competitive edge. If you have a clear competitive advantage and you don’t allow any information leaks, this scenario presents a clear, tangible RoI.

What are some best practices to follow to ensure a high RoI on an information security investment?

As I mentioned earlier, the people-process part of the value chain needs to be strengthened first. When you ensure this fortification, you automatically take care of the three pillars of competitive advantage, regulatory compliance and positive assurance or brand image. In my opinion, when these pillars have been taken care of the organisation’s information security investments will be fruitful.

How can a CIO make the case for information security to the management?

The three basic pillars on which any organisation runs are competitive advantage, regulatory compliance and positive assurance or brand image. In order to enhance the viability of these three pillars, you need to evaluate the existing state of your business processes and plug any information leaks. By following this mandate you can decrease the actual amount spent on security technology to protect this advantage. By iterating these facts to upper management, a CIO can convince them of the importance of allocating a percentage of the organisation’s annual IT budget for information security expenditure.

How do CIOs generally allocate funds for information security investments?

Most CIOs that I have come across do not pay adequate attention to information security. Therefore they do not have a sum in the annual IT budget that is earmarked for security expenditure. However, Mahindra Special Services Group has been able to help educate certain CIOs into actually allocating a portion of their IT spends towards information security. This is because we feel it is of vital importance for protecting any organisation’s competitive advantage.