More on ROI

I wanted to follow on the same theme as my previous blog and look more at issues of justifying spending on information security.

One of the difficulties might come from whether your organisation thinks of security as a cost or as an investment. If it’s a cost then the CIO will be looking for ways to cut it. If it’s an investment then it needs to be managed. What I’d be interested in learning is how many information security leaders are able to influence that level of thinking within their organisations.

Of course, understanding the way that such matters are influenced is a good start, and having an understanding of how to evaluate technology investments would also be a help. I suppose that one of the problem we have in security is the difficulty in measuring the effectiveness of investments against operating costs and net revenue. Security technology can appear to be a dead weight with few individuals even understanding its purpose let alone the value that it’s bringing to the business.

Perhaps it would be easier to justify if it wasn’t such a dark art. I’m referring to a paper published by one Dr John Leach entitled “Security & Engineering ROI” (apologies for not being able to find a reference for this one). Dr Leach states that we “should treat (information security) as an engineering discipline and reset our expectations about how security systems should be designed and evaluated” before going on to conclude that

Security ROI is just another way for the business to ask us to stop pretending that IT Security is a special type of magic practiced by a chosen few and to start asking security designers to behave like the security engineers they should be.

I don’t think I’m too wrong in stating my opinion that many security investments are based on little more that FUD – fear, uncertainty and doubt. Personally though I believe that we need to be making proper economic evaluations of security investments based on the costs and risks associated with security breaches, and taking into account the companies activities and operations.

I’ll put my soapbox away now however, I will be keeping my mind on this subject. Anyone care to comment?