RE: [ISN] Update: Money seen as biggest obstacle to effective IT security

From: InfoSec News (isnat_private)
Date: Fri Jul 18 2003 - 00:46:03 PDT

  • Next message: InfoSec News: "[ISN] Code to exploit Cisco flaw may pose risk"

    Forwarded from: Nick Owen <nowenat_private>
    
    </lurk>
    
    > "Return on investment appears to have fallen out of favor as a
    > measure of the effectiveness of information security spending," Mark
    > Doll, Americas director of Ernst & Young's Security Services
    > division, said in a prepared statement. "It looks like we need to
    > find a credible alternative to conventional ROI approaches in order
    > to secure funds for the information security function."
    
    I've been chewing on some ideas in this regard.  Any feedback is much
    appreciated.
    
    ROI is an incomplete measure at best.  It provides an initial glimpse
    of the potential impact a project might have.  It is better to use a
    measure that includes the actual cost of capital, such as Net Present
    Value or economic profit (EVA is the trademarked term).
    
    To give an example: two projects - 1,000,000 investment with a
    100,000/year return or 100,000 investment with a $10,000 return.  ROI
    says do both. However, if the first project is riskier, it should be
    capitalized at a higher rate of return.  Both NPV and economic profit
    calculations will show this.
    
    To me, most security projects are focused on reducing the cost of
    capital, like insurance (and could be replaced by insurance).
    
    Break security projects down into two categories: enterprise-wide &
    project focused.  If you're protecting the enterprise or an enterprise
    asset such as a customer database, you're helping to decrease or
    maintain the enterprise's cost of capital.  A significant breach will
    have a negative impact on the value of the firm (see: The Effect of
    Internet Security Breach Announcements on Market Value of Breached
    Firms and Internet Security Developers
    http://www.utdallas.edu/~huseyin/eventstudy.PDF) or just think of CD
    Universe).  The new California law SB 1386 will create more awareness
    of this effect.
    
    If you're part of a bricks & mortar firm starting a web commerce site
    targeting Internet riches, that project should have a much higher cost
    of capital than the rest of the firm.  Security measures will help
    reduce the cost of capital for the project.  If you reduce the cost of
    capital, the inherent value of the cash flows increase.
    
    That being said (and this will sound strange coming from a vendor) one
    way to assure project success is to invest smaller amounts upfront.  
    This is typically true in IT and is probably true in security.  
    Over-investing upfront is problematic.  Economic profit analysis shows
    this clearly - think of it like a credit card bill that you can never
    pay down the balance: the interest charges just keep racking up.  
    Best to focus on projects that also reduce costs and can be measured -
    then perhaps target some more fuzzy return projects.
    
    Nick Owen
    
    --
    Nick Owen
    CEO
    WiKID Systems, Inc.
    404-879-5227
    nowenat_private
    http://www.wikidsystems.com
    The End of Passwords
    --
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 04:05:27 PDT