EAC Blog: The Hogwash of Security ROI

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

As the Internet bubble burst, the bean counters reemerged as true power brokers over all things IT. For the most part that was a good thing, since IT pretty much spent like drunken sailors towards the end of the millennium and the hangover was pretty severe. It was up to the accountants to bring the Gatorade and Advil (my favorite hangover remedy) to restore some sanity.

In tight budget cycles, you need to rely pretty heavily on ROI (return on investment) calculations to justify spending anything. Over the years a number of folks got pretty good at showing how things like CRM and business intelligence provide a distinct return to the business. Those were easy cases to build because the technology really did favorably impact the business. But security professionals have always struggled with this, pretty much since the beginning of time.

Why? Because quantifying risk is an inexact science at best. You have no idea what the downtime of specific assets really costs. Figuring out "productivity improvements" due to not making someone jump through as many authentication hoops is suspect. And ultimately none of these calculations matter. The day an attack is successful and a network or application is compromised, all bets are off. The next day about 50 POs are cut to pretty much buy every product a technologist can get their hands on. Fool me once, shame on you. Fool me twice... or so the saying goes.

I bring this up because folks like Pete Lindstrom have been trying to do research and come up with a defendable model for what he calls ROSI (return on security investment) for years. And he's failed. There are so many caveats to make the number believable, it's just not. This has nothing to do with Pete's creativity or talent, he did his best. It's more about the impracticality of doing it in the first place.

But what really set me off was an article posted on SearchCIO from some folks at Alinean, who specialize in developing ROI models. I think that approach is hogwash. There is no way to gather most of those numbers. Not in a way where you could sleep well at night. If you are okay presenting those numbers to a CIO or CFO with your credibility and career on the line, more power to you.

I know that my general disdain for ROI models puts many of my clients and readers of my personal blog in a bind because their bean counters want to see ROI information. But I say now is the time to RISE UP and fight the power. No I haven't been listening to my classic Public Enemy CDs again, I really mean it.

In the time you'd spend making up some cockamamie ROI model, you could be doing real work. An alternative approach is to take some of that hard fought budget and get a penetration test. I bet that within a day, your network would be proven to be Swiss cheese. Take the pen test report to your CFO and don't forget your stack of POs for all the new stuff you need to buy.

There's your ROI model. A sophisticated hacker will make mincemeat out of our network unless you buy some stuff. How about them apples, Big Mr. Bean Counter? And while we're at it, let's discuss that BMW I've been looking at.