Security ROI

Interesting essay on security and return on investment (ROI):

Let's get back to ROI. The major problem the ROSI crowd has is they are trying to speak the language of their managers who select projects based on ROI. There is no problem with selecting projects based on ROI, if the project is a wealth creation project and not a wealth preservation project.

Security managers should be unafraid to avoid using the term ROI, and instead say "My project will cost $1,000 but save the company $10,000." Saving money / wealth preservation / loss avoidance is good.

Posted on July 14, 2007 at 6:54 AM • 3 Comments

Comments

derfJuly 18, 2007 3:56 PM

Value isn't a security industry strong suit. There isn't a direct correlation between the amount of money spent over the level of minimum best practices and the losses avoided. You can't (legally) guarantee a loss. Even with infinite security dollars to spend, you can't guarantee that the dollars spent over the minimum will actually prevent a loss.

Lamont PetersonJuly 18, 2007 5:33 PM

I write and teach Linux/Free Software/Open Source for a living, including some security courses. One thing I always warn my students about is what I like to call, "metric(s) tunnel-vision" where you focus on one metric for measuring risk, risk-tolerance and security trade-offs. It's especially easy to focus on the money metric, especially because it's the way that managers think, work and decide.

As security professionals (and even "lowly" systems administrators dealing with security related to our areas of administration), we need to be very careful to not focus on just one or even a few metrics. We need to look at as many of them as we can. After all, just because you've identified the 5 metrics that matter to the organization you are servicing, doesn't mean that you have considered the metric(s) that likely attackers actually care about. If you say, "If we spend $30,000 on this widget, that data/asset which is worth $1,000,000 to us will cost an attacker $20,000,000 to crack through and access," a potential attacker (perhaps a competitor) might find that scenario very cost-effective if such a breach would cost you in other areas, like in the marketplace (think stocks and other securities) or might cost you a government contract, allowing them to become better positioned in the market.

There are always trade-offs to be made, but we need to consider each options effect on as many metrics as possible.

shoobe01July 19, 2007 9:52 AM

Its nice when you are in a regulated industry, and the government will impose daily fines and other sanctions for non-compliance (or poor compliance) with security regulations. Especially if not everyone knows exactly what the regs are, you can cheat a little to provide additional good security practices to the customers on the "the government will fine us!" argument.

I try to sell product owners on the value of not (further) ruining trust in our brand by (additional) security breaches. With the brand having a declared value of some billions of dollars, this seems like a winner, but only goes so far.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..