Thursday, January 25, 2007

ROI on Not Getting Your Ass Whooped

So, what is the ROI on not jumping off a building? Do you, like, compute it before performing a "not jumping off a building act." Obviously, that is stupid.

Fine, let's try this one next - what is the ROI of not going to jail (and sharing a cell with whatever Bubba)? Well, most if not all people know that they must not go to jail, without doing an ROI computation, not even an ad-hoc one :-)

Then, why oh why, you are doing an ROI on compliance? If you have a well-defined regulation with a clear track record of pursuing its offenders, you don't just comply because whatever semi-intelligent "ROI computation" tells you to. You comply because you have to! You don't use a formula, you do it because you have no choice.

You can argue with the law and try to influence whatever lawmakers to make a new or a better one, but you follow it while it stands ...


Anonymous said...


Thank you for linking to the Datasecurity blog on PCI. We do not propose that you ask, "to comply or not to comply." We propose that you structure how you comply by factoring in your costs, benefits, and risks.

What you need to understand is that "compliance" is not black and white, instead 80% of it is shades of risk tolerance. This is one of the reasons why "compensating controls" are so important in the compliance process.

I argue there is a need for all executives to generate a list of tasks required for compliance and then make business decisions on how to implement those requirements (which will vary depending on system architecture, configuration, and risk level).

Please comment away on our blog and continue to voice your feedback. =)


Anton Chuvakin said...

Thanks for the comments!

Well, in some cases it is pretty :-) black and white. In fact, I like your final quote a lot: "Companies need to stop complaining about the cost of compliance and trying to justify the short term costs against potential fines. [...] Once a company understands this risk they should scrap their ROI formulas and invest more time in compliance with PCI."

Focus on achieving compliance and not on justifying it.

Anonymous said...

Yes, we agree with that. Sometimes you need to first relate to your audience and then explain why certain rational is just not the right approach.

I can justify PCI compliance with numbers, but I prefer the "auto insurance" analogy I always use.


Rob Ciampa said...


Great thread here with some nice pragmatic reality. The question still remains: how much do we have to spend NOT to get our asses whooped? We know we have to do it, but where is the line?

We continue to struggle in the security industry because it's so difficult to assign value to what we're protecting.

What should be straighforward economics remains an elusive target. We don't know what our "stuff" is worth, but we do know what our job is worth. The response? Let's spend big to cover our ass.

Anonymous said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.

Anton Chuvakin said...


Dr Anton Chuvakin