Ripping into ROI
Over at TaoSecurity, Richard Bejtlich writes:
‘ROI is no longer effective terminology to use in most security justifications,’ says Paul Proctor, Vp of security and risk strategies for META Group…
Executives, he says, interpret ROI as ‘quantifiable financial return following investment.’ Security professionals view it more like an insurance premium. The C-suite is also wary of the numbers security ROI calculators crunch.
‘Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,’ Proctor says. Instead, express a technology’s or program’s business value, cost/benefit analysis and risk assessment.”
Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool of free capital to draw on, etc. Techniques such as economic value add allow you to take some of these into account. But the biggest problem is that quantifying the cost of a breach is hard. Without knowing what the alternative is (to reserve or insure), its hard to justify much security spending. Computerworld has a good story “Where ROI Models Fail,” or see CIO’s “The Trouble With ROI” [link to http://www.cioinsight.com/article2/0,1397,1375275,00.asp no longer works] Roundtable for more on these issues.
Yes, you can get ROI. Think about Password Reset and Patch Management solutions. ROI comes simply from automating manual processes. No incidents required.
Even some “incidents” are frequent enough to gain an understanding of recurring costs – worms, spam, etc. All ROI-able if you ask me.