Looks like more and more intelligent folks jump on the "there is no security ROI" bandwagon:
'"I truly believe there is no real ROI,' says Kevin Mandia, CEO of the security consultant firm Mandiant. 'A lot of smart people have sat around trying to think about this for the last 10 years and nobody has come up with anything.'"
That is a good point. However, I am somewhat undecided about this one myself, since I've met folks who honestly claimed that they "built the thing" [ROI for security] and their bosses were happy with it (and let them buy all the toys...) and it looked legit.
So, is there an ROI? I guess at this point the debate degrades into Clintonian "what 'IS' is?" :-) ROI is there and the ROI approach is quite effective in selling security to those who believe there is an ROI! Keep it in mind...
It seems that most of those who argue with ROSI, argue with an "R" part - the return. Do you ever get return or you get "loss prevention"? Ah, this one won't be resolved for a while :-)