Adam Shostack writes about TaoSecurity’s posting referring to Paul Proctor’s "you can’t get ROI" comment on searchsecurity.com. I also was recently listening to Dr Lawrence Gordon’s talk at CSI (on mp3) where he said basically the same thing.
I beg to differ.
You can get ROI from security solutions by automating manual processes. Patch management and automated password resets are two solutions that don’t need "incidents" to gain a return.
My response is at http://www.emergentchaos.com/archives/000764.html
PS: Do you have a URL for that mp3?