[ISN] Calculating security ROI is tricky business

From: InfoSec News (isnat_private)
Date: Tue Jul 22 2003 - 00:20:29 PDT

Next message: InfoSec News: "[ISN] The Case of the Hacked South Pole"

Previous message: InfoSec News: "[ISN] Attacks already exploiting Cisco IOS vulnerability"
Next in thread: InfoSec News: "Re: [ISN] Calculating security ROI is tricky business"
Reply: InfoSec News: "Re: [ISN] Calculating security ROI is tricky business"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/securitytopics/security/story/0,10801,83207,00.html

By Marcia J. Wilson
JULY 21, 2003
Computerworld 

Return on security investment has become a hot topic.  IT departments
have traditionally been viewed as cost centers, though they have
learned to provide a business-case analysis for IT initiatives.
Information security departments are trying to figure out how to do
the same thing.

They can't sell security initiatives based on fear anymore. They have
to come up with the same justifications as any other business unit,
complete with the dreaded metrics, or hard financial facts.

ROI is about revenue generation, cost savings or increased
productivity. IT has learned to show, for instance, that upgrading the
server farm or network will provide x% increased productivity by
virtue of faster access of mission-critical applications and that
installing a virtual private network (VPN) will provide x% increase in
productivity by virtue of availability of the network to remote and
mobile employees. But how can security prove ROI for preventive
measures that require capital expenditures, additional manpower and a
steep learning curve?

Some people claim that trying to prove return on security investments
is a waste of time. It's all about risk management, they say.  
Meanwhile, security vendors are champing at the bit to prove that ROI
on security is possible and have gone to elaborate lengths to prove
that their products will provide significant returns. Managed security
service providers are saying, "Just let us handle your security for
you, and we'll show you how you can reduce risk and cost."

You know you need firewalls, VPNs, a secure network architecture,
encryption, digital signatures, improved backup and restore
capability, filtering, monitoring, intrusion detection/prevention and
single sign-on capabilities. How are you going to justify the
expenditures?

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] The Case of the Hacked South Pole"
Previous message: InfoSec News: "[ISN] Attacks already exploiting Cisco IOS vulnerability"
Next in thread: InfoSec News: "Re: [ISN] Calculating security ROI is tricky business"
Reply: InfoSec News: "Re: [ISN] Calculating security ROI is tricky business"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 03:11:23 PDT