Forwarded from: Adam Shostack <adamat_private> On Fri, Jul 18, 2003 at 02:46:03AM -0500, InfoSec News wrote: | Forwarded from: Nick Owen <nowenat_private> | | </lurk> | | > "Return on investment appears to have fallen out of favor as a | > measure of the effectiveness of information security spending," Mark | > Doll, Americas director of Ernst & Young's Security Services | > division, said in a prepared statement. "It looks like we need to | > find a credible alternative to conventional ROI approaches in order | > to secure funds for the information security function." | | I've been chewing on some ideas in this regard. Any feedback is much | appreciated. | | ROI is an incomplete measure at best. It provides an initial glimpse | of the potential impact a project might have. It is better to use a | measure that includes the actual cost of capital, such as Net Present | Value or economic profit (EVA is the trademarked term). [...] | Break security projects down into two categories: enterprise-wide & | project focused. If you're protecting the enterprise or an enterprise | asset such as a customer database, you're helping to decrease or | maintain the enterprise's cost of capital. A significant breach will I think there are two issues here. The first is that most security projects do not provide a measurable risk management effect. The second is that measurability is hard, and the CSOs who figure it out will define the profession, in the way that CIOs of companies like Walmart, who aligned IT with business process, defined the CIO role. If installing, say, a new PDL* system doesn't provide a measurable return, in lower operating costs, increased profits, decreased cost of capital, or anywhere else, then how am I, as an executive, supposed to decide if I should invest or renew my investment in it? "It looks like we need to find a credible alternative to conventional ROI approaches in order to secure funds for the information security function." Well, perhaps we should find alternatives to the information security function that work within conventional economic models? Which brings me to my second point. You only get so many years of exceptionalism. If we want to compete for budget, we have to play by the rules that the judges set. Those rules very rarely include "And we'll give the paranoids a few percent of the capital we have available. When they're done, they'll still tell us that we're insecure, but boy did they have fun." I'm personally impressed by the work that @Stake is doing, applying QA metrics to security analysis of projects, applying business metrics to security investment, etc. While it's challenging, I fully expect that they, or someone following them, will bring about useful change. Adam * I hope there isn't a PDL product category out there. My critique applies to an awful lot of systems. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 04:42:17 PDT