So, a colleague sent me this link ("3 Metrics To Gauge Security Spending") and I was meaning to think and blog about it (yes, in that order :-)). But then Mike Rothman opined that this guy is a dumbass in his blurb "3 ways not to gauge security spending". So, what's the story?
First, bear with me since I am still trying to build a coherent picture of security ROI for myself from all the diverse sources of info, some as smart as Pete Lindstrom :-) In general, I am leaning towards "there is no ROI for security; there are only cost savings" (which, as my in-house Ph.D. economist stated, are neither the same nor equivalent)
So, let's see, what is this guy suggesting: "If security spending exceeds 10%, your business architecture is probably poorly designed to cope with attackers." Huh? What's up with the magic number? So, 9.5% certifies you as OK? Sounds like an application of "all hard problems of the Universe have easy, clear and simple INCORRECT solutions" :-)
Further, "If the cost of your security investment is 200% or more of the value of employee downtime, you may be spending too much on security." Same problem - see above, bro.
Going down, "If you are experiencing a loss of 1% or more in productivity, review how you are protecting your information." No comment, really. Wait, one, actually: bullshit.
And, on top of the above, I just hate it when people proclaim something truly obvious as if it were some kind of news, so this guy definitely commits this crime: "The goal of total security is not achievable in complex systems that have millions of hardware and software vulnerability points." Wow, that's deep, good thinking here... NOT! :-)
So, I am with Mike on this one and he said it best: "These "metrics' will do nothing but waste your time, except maybe the gauging the cost of downtime one. I can only hope your CIO didn't read this drivel, because then you'll start to see this crap on your 2007 MBO's."