I really don’t understand why people are so threatened by the notion of ROI in security. Why on earth should they care whether someone can leverage the concept in support of their security goals? Is there some sort of godlike ultimate authority that will be angered by this usage?
Really, all of this stuff is mental accounting to begin with – to support or attack a concept tells us more about your personality and set of biases than it does defend some sort of universal truth, Anton’s friend’s ad hominem attacks notwithstanding.
Someone please give me a legitimate reason why you don’t want folks trying to be clearer about meeting their security objectives? In the end, it really is none of your business unless it involves your own organization, right?
A few other random points:
- Wealth creation and preservation are cool terms, which is why financial planners use them in marketing all the time, but there really is no such thing as wealth preservation by itself – it is always a result of creation and depletion at any point in time. (Even filling your mattress with money does not "preserve wealth"). There are costs incurred for every move to create wealth. If you can minimize those costs, you can maximize your wealth.
- Security is almost always a cost center. Cost centers are integral to the operation of a business. Whether you want to consider it part of some particular activity is up to you. I would suggest that since you can reduce recurring costs with, say, a patch management solution, you are contributing to higher net income and therefore can get ROI. You can also get ROI in many areas where you are inefficient to begin with – password resets is another easy area to gain ROI.
- ROSI and ROI are not the same thing. ROSI involves reducing the risk of future loss and is a measure of effectiveness. ROI in security involves spending loss to maintain the same level of security and is (usually) a measure of efficiency.
“…to support or attack a concept tells us more about your personality and set of biases than it does defend some sort of universal truth …”
Pete, I absolutely agree with you, and I find it terribly amusing that you manage to do your ad hominem attacks indirectly, by impugning unflattering motives to anyone who disagrees with you (they’re afraid, they’re threatened, they’re lazy …).
Nobody’s “threatened” by the misuse of a financial term. If you want to make the words “return on investment” mean whatever you want them to mean, more power to you. As Humpty Dumpty said, it’s a question of who’s to be the master, that’s all. But I’ll certainly bow to Anton’s in-house economics expert if I want to use the words correctly.
Meanwhile, I’ll go take a look at the money under my mattress to see whether it’s currently creating or depleting.
I think the problem is thus:
* Idiot CEO’s demand everything gets explained to them in terms of ROI.
* Security people cannot answer this question.
* Security gets screwed.
And so people like Richard come up with a solution: (http://taosecurity.blogspot.com/2007/07/no-roi-no-problem.html )
* Don’t use ROI for security.
* If anyone does, belittle them.
It might help long-term, because CEO’s will get it through their little pinheads that they shouldn’t make one number the answer to everything.
But in the short-term, it hurts CSO’s who can make legitimate claims about “spending this $2000 will mean our company will have $5000 more at the end of the year.”
And, yes, some problems don’t fit into the ROI category, such as merely protecting assets. In that case, go figure out how the physical plant group justifies their fire insurance, and then use that model to get your security budget approved.
@shrdlu (whoever you really are):
- I have no doubt that I have my own personal biases. Everyone does – do you recognize it in yourself?
- unless you happen to *be* the person in Anton’s house, or a good friend of that person, or Anton, why on earth would you magically agree with his “expert”?
- financial managers, not economists, are better sources of information on ROI. I recommend googling “DuPont ROI” if you are really interested in the sorted past and current uses.
- Put ten financial managers, economists, or what have you in a room and they will all disagree to some extent as to how a term like ROI is used.
- I am not a Humpty Dumpty expert, so not sure how a question about ROI belief makes anyone a master.
- The money under your mattress is (currently, anyway) depleting its wealth. Ask Anton’s economics expert how this can be true. (I suspect you already know this but were trying to make a point?)
Wealth is neither created or destroyed; it merely changes hands.
Very sensible approach to this repeating debate.I agree with you regarding ROI(3rd point).
I think that people forget that we have an immediate sunk-cost associated with using IT models that have inherent design flaws. An enterprise must automatically spend 4-12% of their IT budget on security on a sliding scale depending on what they are trying to protect and the protection profile required.
If they have determined that they are required to spend 8% of their budget to attain a tolerable risk level, and a new technology can reduce that spending level to 5 or 6% for the same risk level, then that is a return on investment due to the fact that you become more efficient in your overall productivity by reducing costs of operation.
It seems to me that a reduction in sunk costs is the same as extra revenue on the bottom line.
Week’s Links
Multi-factor Authentication for Online Banking: Security or Snake Oil?DCT, MPack developerThe Nduja Job: Into The World Of XSS WormsLessons Learned From the Deployment of a Smartphone-Based Access-Control SystemMeasuring Privacy Loss and the Impact of Pri