tag:blogger.com,1999:blog-4088979.post5503666544717311547..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Glutton for ROI PunishmentRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-40075091680453130882009-06-16T06:37:52.214-04:002009-06-16T06:37:52.214-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-72706669423811412742007-07-23T16:17:00.000-04:002007-07-23T16:17:00.000-04:00"I think this example addresses the single biggest..."I think this example addresses the single biggest problem I have seen in so-called 'security ROI' proposals: the failure to tie the proposed security project to a revenue-generating business venture. In short, security for 'security's sake' cannot be justified."<BR/><BR/>Richard, <BR/><BR/>Excellent point; though we disagree about certain semantics, I completely agree with you on this. Security is a means, not an end. If security won’t increase profitability (in the long term), it’s not justified. <BR/><BR/>shrdlu,<BR/><BR/>I think the debate about whether security produces returns is something that educated people can disagree on. Certainly, it’s not true that all economists think the idea is silly. Specifically, <A HREF="http://www.bloginfosec.com/2007/07/18/email-from-dr-lawrence-gordon-security-roi-possible-but-not-optimal-use-other-metrics/" REL="nofollow">Gordon stated plainly</A> that he believes it’s correct to speak of security yielding returns (that’s not to say ROI – as opposed to IRR or NPV – is a good formula to use). <BR/><BR/>-Ryan HeffernanAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91347077235680726442007-07-22T09:54:00.000-04:002007-07-22T09:54:00.000-04:00There's probably a good corollary if we look to ou...There's probably a good corollary if we look to our physical security counterparts. I can't remember ever hearing physical security guys striving to justify projects with ROI. They say "we need to do project X to protect our people and our assets," and then articulate the risks and how their project will mitigate them. Maybe they don't fall into the ROI fallacy like we do since it's much easier to attach value to a human life than a piece of information...most senior managers wouldn't balk at a relatively expensive project if they knew it would save even one life or keep a building from being blown up. But an infosec project to keep 10,000 customer records from being lost? Well, we'd better see some ROI on that!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82267334807641155702007-07-21T14:53:00.000-04:002007-07-21T14:53:00.000-04:00Note to self: Pete's post>Note to self: <A HREF="http://spiresecurity.typepad.com/spire_security_viewpoint/2007/07/ten-points-abou.html" REL="nofollow">Pete's post></A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58336884318740340762007-07-21T10:42:00.000-04:002007-07-21T10:42:00.000-04:00The difference between a return and an avoidance s...The difference between a return and an avoidance seems to be the existence of an external threat or issue that reduces productivity? Email will increase efficiency but isn't avoiding anything; it's a great example of an IT project with a return. And any means to improve that efficiency is just a return.<BR/><BR/>But once you get someone or something external reducing your efficiency, that can be construed as security, or avoidance.<BR/><BR/>An interesting example!Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-57835329781044222872007-07-21T07:56:00.000-04:002007-07-21T07:56:00.000-04:00I'm with ya all the way, Richard. The only way yo...I'm with ya all the way, Richard. The only way you can have security ROI is if you define "return" to mean "avoidance of loss" -- which I think a lot of people do. This gives real economists the heebie-jeebies, but gives security folks the comforting delusion that they're not just a cost center.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-8890752925542172852007-07-20T21:38:00.000-04:002007-07-20T21:38:00.000-04:00Richard, you sure are a glutton...I agree with you...Richard, you sure are a glutton...<BR/><BR/><BR/>I agree with you 100%. There is no ROI on Security.<BR/><BR/><BR/>I've read all of your related posts and all of the links in the comments, and the links in those blogs, and the comments from the Economics Professors.<BR/><BR/><BR/>But still the point remains the same. There is no ROI on Security.<BR/>However, I will say that perhaps the problem here is not a disagreement over <B>if</B> there is a return, but rather <B>what</B> a "return" is.<BR/><BR/>Is a return a return to productivity (as in your example tonight)? Then yes, I agree that there is a return.<BR/><BR/><BR/>Is a return a savings in costs associated with doing business? Then yes, I agree that there is a return.<BR/><BR/><BR/>Is a return a profit or some other exchange of monetary value in for what you put into security? No, no, no! Can’t happen.<BR/><BR/><BR/>Is a return some sort of other value perceived by management? Well, maybe.<BR/><BR/><BR/>I think I see a lot of consultants responding to these posts. Perhaps (and I could be wrong) they have not spent a lot of time in the corporate world. In the corporate world, the IT department is usually a cost center . Sometimes, they are considered a profit center, but they are making a profit from internal customers. Therefore, they are not generating wealth that did not already exist.<BR/><BR/> <BR/>That being said, the security department is always, always, always a cost center. They enable business, they consult with the business units and perhaps recoup a little bit. They may “sell services” to business units. But again, like the IT department, they are taking money from one business unit and putting it into another. There is no net gain. If I am in business unit “A”, and I generate $10,000, but I have to pay the $2,000 for the security solutions, I generate $8,000. The $2,000 is an expense. But at the same time, the IT staff doesn’t generate $2,000!<BR/><BR/><BR/>There is no magic security solution that I can implement that will directly affect profits. I increase productivity. I enable business to generate profits. But without the people whose productivity I increase, without the widgets that I enable the business to sell, there are no profits. Therefore, I cannot generate wealth for the company.Anonymousnoreply@blogger.com