Tuesday, March 11, 2008

OMG, Security ROI Comes Back - And It is Mad As Hell :-)

OK, not really mad :-) In fact, pretty intelligent :-) But a new salvo has been fired in a "great security ROI war." Counter-salvos have been fired as well :-)

The salvo is the paper called “The Fallacy of Information Security ROI” by Jon Pols ("ISSA Journal", February 2008) where Jon argues against the ROI for security (since there is no money earned by security, just saving which are NOT the same thing); Jon proposes "security as insurance" model which, in all honesty, I am not too comfortable with (since security doesn't "pay you back" after the breach).

ROI proponents "hit hard" in return: 'One is Jos Pols who, in his recent article “The Fallacy of Information Security ROI” in the February 2008 issue of the ISSA Journal (membership required to access link resource), claims that one cannot have a return where there is no income. .' They next bring back the "return in the form of savings" (which many disagree with ...): 'this is an overly restrictive view of the meaning of the word “income.” The avoidance of potential losses redounds to the bottom line, as does revenue, so that a cost saving is a return on an investment.' Read the whole pro-ROI counter-point here.

Previous "ROI War" is cataloged here. A new one is upon us? Unholster your handguns, charge the lasers, enrage your attack hamsters - hurraaaaaaaah!!!!! :-)


Unknown said...

I think "security as insurance" is already a bit misunderstood, or perhaps it is just misused. You're right, security won't pay anyone back, which is an essential component of the insurance function.

I think "security as insurance" would have to become even more of an audit and insurance function. For instance, I'll insure you for an $X policy if you demonstrate you have security in these checklists. Kinda like I'll insure you for fire if you have proper fire safety inspections and equipment.

I also don't think it will widely work to think of security as overall cost savings. First, that's just not intuitive, really. Second, that continues to justify security by monetary means, which will almost always result in inadequate coverage.

I think business deals with potential costs very badly, which is a large portion of what security deals with.

Anton Chuvakin said...

That is a VERY good point: insurance in the sense of a "special type of overhead expense that you just have to do" and not in the sense of "smth that pays you back"

>overall cost savings
No kidding; I am AMAZED so many people are into that model ...

Dr Anton Chuvakin