Subscribe in a reader
The myth of security ROI
Submitted by Mike Rothman on Tue, 2006-05-02 10:03.
Everytime I hear myself saying the same thing more than a few times, I figure I probably should write it down. Within the next day or two, my next appearance on Martin McKeay's Network Security Podcast and next week a tech tip for SearchSecurity underscore the same topic, the trade-off that every security professional must make every single day.
That's the trade-off between enhanced security and friction. Why don't I just say cost/benefit? Basically I think it's pretty much impossible to really quantify security. I know a lot of people spend a lot of time trying to figure out security ROI. There are vendors that put dashboards in place and end users that need to spend a bunch of time generating spreadsheets to justify buying something.
Unfortunately, they are making it up. So let's say you have a problem. What does it cost? First you concoct some numbers about real loss expentency. Are machines fried and need to be replaced? Then there is the cost of the time to fix all of the issues. These are pretty easy to determine and a start.
But those numbers don't really get the attention of senior management. They don't care. What they are worried about is appearing on the front page of the Wall Street Journal. That gets their attention. Whether it's compliance related or privacy related, executives typically sign off on expenses to avoid those kinds of issues.
There is no return on investment for that, is there?
I'm a fan of giving the executives what they want. So you, as the security practioner, should know what you want to buy. Maybe it's identity management, maybe it's NAC, maybe it's encryption or database security. You should have a working architecture or "future state" of what your infrastructure should look like.
The real art of what you do is to figure out how to get there. A lot of it involves robbing Peter to pay Paul over time. You want to attach to strategic initiatives (like outsourcing HR or a new ecommerce system) and build in some new security oriented gear into those projects. When the price tag for these projects is in the 10s of millions, no one is going to miss the $500k you spend on security.
You also want to take advantage of budget line items, like compliance. Most big companies have specific money set aside to keep the executives out of jail. So figure out what of your strategic security stuff can be wedged into the compliance budget. Is identity management or log management strictly for compliance? Of course not, but you can make the case that these offerings are critical for those efforts. Any you get your money.
So here comes the trade-off. It's hard enough to get money for the things you really need. So you've got to decide what stuff you are not going to do. No one I know gets to do everything. There are always choices to be made.
You need to get a feel for the incremental increase in security for a specific investment. That must be weighed against the friction the additional security introduces. Friction can reflect hard costs (like buying something or operating it) or impacted user experience. And don't minimize the user experience hit. Executives get grumpy when they can't do what they want, when they want to do it, from whatever location they choose. Ultimately you need to decide if it's worth it.
The other thing I'll tell you is that most likely you'll be wrong. You'll get nailed by something that you decided wasn't worth the money. But that's OK. Not even Ted Williams batted 1.000. But if you keep the future state in mind and have a plan to get there, you'll get nailed much less frequently. And ultimately that's the point.
That's the trade-off between enhanced security and friction. Why don't I just say cost/benefit? Basically I think it's pretty much impossible to really quantify security. I know a lot of people spend a lot of time trying to figure out security ROI. There are vendors that put dashboards in place and end users that need to spend a bunch of time generating spreadsheets to justify buying something.
Unfortunately, they are making it up. So let's say you have a problem. What does it cost? First you concoct some numbers about real loss expentency. Are machines fried and need to be replaced? Then there is the cost of the time to fix all of the issues. These are pretty easy to determine and a start.
But those numbers don't really get the attention of senior management. They don't care. What they are worried about is appearing on the front page of the Wall Street Journal. That gets their attention. Whether it's compliance related or privacy related, executives typically sign off on expenses to avoid those kinds of issues.
There is no return on investment for that, is there?
I'm a fan of giving the executives what they want. So you, as the security practioner, should know what you want to buy. Maybe it's identity management, maybe it's NAC, maybe it's encryption or database security. You should have a working architecture or "future state" of what your infrastructure should look like.
The real art of what you do is to figure out how to get there. A lot of it involves robbing Peter to pay Paul over time. You want to attach to strategic initiatives (like outsourcing HR or a new ecommerce system) and build in some new security oriented gear into those projects. When the price tag for these projects is in the 10s of millions, no one is going to miss the $500k you spend on security.
You also want to take advantage of budget line items, like compliance. Most big companies have specific money set aside to keep the executives out of jail. So figure out what of your strategic security stuff can be wedged into the compliance budget. Is identity management or log management strictly for compliance? Of course not, but you can make the case that these offerings are critical for those efforts. Any you get your money.
So here comes the trade-off. It's hard enough to get money for the things you really need. So you've got to decide what stuff you are not going to do. No one I know gets to do everything. There are always choices to be made.
You need to get a feel for the incremental increase in security for a specific investment. That must be weighed against the friction the additional security introduces. Friction can reflect hard costs (like buying something or operating it) or impacted user experience. And don't minimize the user experience hit. Executives get grumpy when they can't do what they want, when they want to do it, from whatever location they choose. Ultimately you need to decide if it's worth it.
The other thing I'll tell you is that most likely you'll be wrong. You'll get nailed by something that you decided wasn't worth the money. But that's OK. Not even Ted Williams batted 1.000. But if you keep the future state in mind and have a plan to get there, you'll get nailed much less frequently. And ultimately that's the point.
Pretty good advice I think...
..but most of the post's value is in navigating practical realities of the corporate politik.
Risk mitigation is only possible when the risk itself is measurable. Unless the security system that provides security against breaches is mathematically complete, (certain and predictable outcome every time) there is no way to measure the probability of success or failure of its essential function of protection, so as Mike says, the figures are basically made up, even if they are based on probable guestimates.
- Email this page
Recent comments
2 days 16 hours ago
3 days 3 hours ago
3 weeks 6 days ago
4 weeks 1 day ago
4 weeks 1 day ago
4 weeks 1 day ago
4 weeks 2 days ago
4 weeks 2 days ago
4 weeks 4 days ago
5 weeks 20 hours ago