Security: The Elephant in The Cloud

How much does it cost? How long will it last? How will it improve the way we do business?In the age of cloud, traditional ROI-related questions are just the beginning. Server lifespan is irrelevant, and latency can make or break millions in revenue. Security has become a major item on the balance sheet, and for good reason.Technology is evolving faster than the regulations that protect us. That causes security-conscious companies to address much more than just building a better firewall. It’s an ongoing monitoring and iteration of checks and balances—affecting your company’s policies and bottom line.

So how do you allocate budget for things that always change? The answer is to use money to build space—space to learn, space to evolve your approach and space to procure new tools as they hit the market.The cost of doing business has become dynamic. Allocating discretionary spending to explore new approaches—particularly in security—will give you innovation headroom.Such a budget for experimentation allows innovations not only in IT tools, but also innovations within the services that secure them.Cloud Redefines Profit And LossIT departments have responded to the onslaught of public cloud by switching their value calculations from capital expenditures to operating expenditures—from CapEx to OpEx.Accounting for upfront capital investments doesn’t make sense when you’re renting IT infrastructure. The beauty of most public cloud infrastructures is that you don’t need to estimate capacity in advance. So CapEx is no longer as applicable as it once was.Clusters of servers, run by different providers, now conduct multiple IT functions remotely. OpEx accounts for the ongoing expenditures and fluctuations in costs associated with cloud’s pay-as-you-go model.In fact, a worthy cloud application should not only improve productivity and reduce costs—value as defined in a traditional ROI equation—but also enable better central management and open up a wider range of scalability.The Forgotten Number In Your Budget?But the investment that almost everyone forgets to factor in is the ongoing cost of security.Between Target, Anthem and JP Morgan Chase, you’ve already read it many times: One attack will significantly damage brand equity, which took years to build. The variety and innovation in breaches constantly tests the limits of existing approaches.It’s best described as an arms race between IT and attackers.

Security breaches always seem to be one step ahead of efforts to mitigate them. Early cloud environments were fundamentally insecure when they were built, so black-hat parties capitalized before security experts could lock them down. Indeed, basic protections like end-to-end encryption are just starting to hit the consumer cloud marketplace.In the meantime, because malicious parties have so much traction, defensive strategies are constantly changing. Improving protection could mean anything from procuring new hardware and software, to security audits, to new compliance processes.Those constant adaptations are simply a cost of doing business. IT must learn about the latest breaches, adapt its technological arsenal to address them, and adopt new cloud-security innovations as they arrive.Did Somebody Say, “Epistemic Modal Logic?”No existing ROI model accounts for every aspect of the unknown.So how do you account for security in your ROI calculation? Innovation headroom.Since the situation and the technology can change so quickly, the best approach is to create a discretionary budget that lets you experiment with the appropriate security measures of your particular industry. It also allows you to optimize utilization of what you already have.When it comes to security, giving yourself room to maneuver is the only way to make sure that you are leaving no stone unturned. In the ever-evolving world of cloud applications, you’ll find that the extra budget will go far beyond paying for itself.The Bottom LineYou can model and predict your business in finite detail, but at the end of the day, it’s often the unexpected that makes, breaks or at least alarms you.

If you factor in the unexpected, you’ll be able to account for things you couldn’t anticipate in advance. As a known unknown, the “forgotten number”—really the unanticipated number—will prompt you to adapt.In a time of aggressive breaches and rocky brand equity, that adaptation can be vital to your short-term and long-term success.*The original post appeared in Forbes.