February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Absolute Necessity of Mobile Encryption | Main | The Biggest Challenge Facing Identity and Access Management »

November 27, 2007
The Difficulty of Determining Security's ROI

An interesting discussion has broken out on Christopher Hoff's Rational Survivability blog about how hard it is to effectively determine the true ROI of all the various tools needed to maintain an organization's security.

This inquiry kicked off with Hoff at a meeting in France, where Hoff was asked about the business value of the information security department, or what the other person termed the "No Department."

The simple question was: Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?

As Hoff points out, this is not about risk management, which security often encompasses, but a direct question about ROI. And the trouble with discussing profit in terms of security is that security is often just a cost center, and many security apps like firewalls and antivirus and application security don't enter into the profit equation (one exception is identity and access management, which can often improve efficiency).

To answer the question, Hoff went so far as to create a new term for ROI, which he termed RROI, meaning Reduction of Risk on Investment. But the problem of taking a pure risk approach to security is that many business folks are quite used to dealing with risk and will simply opt to accept the risk instead of spending 10,000 dollars to protect only a hundred dollars worth of assets.

Back in my days with Message Partners, which is an email security platform, our product was email middleware, and very often made it much easier for ISPs to introduce new email offerings (at an added price, or to remain competitive), so we were glad to bring up ROI in our discussions.

But still, most security is just cost against loss, and costs not tied to ROI are often the first to go in a downturn (or even in an upturn). But barring stopping all security efforts in order to set a base cost/benefit, a simple way to at least determine a loss that hasn't happened yet is to set the bare minimum of $90 dollars per record compromised, which in no way factors in loss of reputation which can result in loss of business (but I hear people are still shopping quite happily at TJ Maxx).

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2909

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map