Security ROI
Interesting essay on security and return on investment (ROI):
Let’s get back to ROI. The major problem the ROSI crowd has is they are trying to speak the language of their managers who select projects based on ROI. There is no problem with selecting projects based on ROI, if the project is a wealth creation project and not a wealth preservation project.
Security managers should be unafraid to avoid using the term ROI, and instead say “My project will cost $1,000 but save the company $10,000.” Saving money / wealth preservation / loss avoidance is good.
derf • July 18, 2007 3:56 PM
Value isn’t a security industry strong suit. There isn’t a direct correlation between the amount of money spent over the level of minimum best practices and the losses avoided. You can’t (legally) guarantee a loss. Even with infinite security dollars to spend, you can’t guarantee that the dollars spent over the minimum will actually prevent a loss.