Adam Shostack responds to my comment on his blog about ROI for security in a way that suggests that he actually does believe you can get ROI from security, but that it doesn’t matter because the ROI technique itself is flawed. Now, I was responding to this point:
"But the biggest problem is that quantifying the cost of a breach is hard"
My point was that ROI in security doesn’t necessarily have to come from reduction/elimination of incidents, and it seems to me that this is the clear implication in this statement (read it in context to confirm). Here is my story (and I’m sticking to it 
):
-
ROI can come in two different ways – by increasing revenue or decreasing costs. If you don’t agree with this, then no cost center in a company – HR, Administration, Finance, IT, etc. – can get an ROI.
-
We currently spend money on security – preventive, detective, reactive, recovery operations throughout. This money is spent on people and products.
-
No organization is completely efficient or completely effective. If they are both, ROI or any sort of return is inattainable.
-
If we are not completely efficient, we spend more than we need to in productivity costs. If we are not completely effective, we spend more than we need to in incident costs.
-
If we can reduce spending in any of these areas, then you can get ROI, or IRR, or some other type of return, on security.
It could be that I am overreacting to the very common assertion in our profession that "you can’t get ROI from security" but it is curious to me how both Shostack and Dr. Gordon (in his CSI session) appear to shift between "difficulty in quantification of incidents" to "ROI is not a good technique" as arguments when discussing the issue.
The first point is really the only one I care about. Stay tuned for more on this in an Information Security Magazine upcoming feature. It is pretty important. The second one is fine – I understand that time value of money is important and believe that if somebody wants to take the next step and factor that in, then power to ‘em. I consider it a victory just to get folks to buy into any sort of return to begin with.
The first point, we’re in agreement on. I think that a lot of security economics is made harder by the difficulty of quantification. I think a lot of presentation of security economics are hurt by using a technique other than the corporate standard.