Until recently, investing in information security has been
perceived as either a cost of doing business, or as a regulatory
compliance issue. However, financial officers and chief executives
are increasingly pressuring security professionals to justify IT
security investments in terms of overall business goals and return
on security investment (ROSI). Unfortunately, ROSI is difficult to
calculate using classical return on investment (ROI) methodology,
and budget justification has become difficult to demonstrate in
manycorporate environments. An observable transition is underway.
Current trends and empirical observations indicatethat the use of
security as a marketing differentiator may be a method of
justifying and/orrecouping investments in security. Consumers,
business partners, corporate customers, andother organizations
increasingly consider the protection of information
assets—especially personally identifiable information (PII)—when
evaluating companies with whom to dobusiness. When a company
markets its offerings as being more secure than that of
itscompetitors, it differentiates itself, allowing security
professionals to present a business casefor security that addresses
the traditional concerns and expectations of financial officersand
other executives. In this paper, VeriSign examines security in the
context of the traditional goals andconcerns of corporate decision
makers: overall business strategy, ROSI, and marketmessaging.
