Re: [ISN] Calculating security ROI is tricky business

From: InfoSec News (isnat_private)
Date: Wed Jul 23 2003 - 00:03:31 PDT

  • Next message: InfoSec News: "[ISN] Using iptables chains to simplify kernel ACL management."

    Forwarded from: Mark Bernard <mbernardat_private>
    Dear Associates,
    In my opinion it gets down to mapping IT/IS annual goals and
    objectives to business goals and objectives. But if you ask a techie
    how fixing the firewall or a server will help the company improve
    profits you may be surprised at the answer you'll get. However its not
    really fair to blame the current problem on techies after all the are
    highly trained professionals and most of them do very good work.
    If you look closer however you see that the problem is with middle and
    senior IS/IT management. Most of these fellows have come up through
    the ranks and as all good organizations do, they promote from within.
    The problem is that these guys without the proper mentoring from the
    Executive group or Finance group don't have two clues about how to map
    IT/IS goals and objectives to organizational goals and objectives. As
    close as they get to managing the over all business is to take last
    years approved budget add a fudge factor and then create a new budget.
    This is a great process because it allows you to quickly get back to
    the things that you like to do and are comfortable with, instead of
    justifying why it is that you do these things.
    Ponder this if you will, if technology is the solution for business
    needs then what is the solution to technology needs?
    Mark E. S. Bernard, CISM.
    ----- Original Message ----- 
    From: "InfoSec News" <isnat_private>
    To: <isnat_private>
    Sent: Tuesday, July 22, 2003 4:20 AM
    Subject: [ISN] Calculating security ROI is tricky business
    > By Marcia J. Wilson
    > JULY 21, 2003
    > Computerworld
    > Return on security investment has become a hot topic.  IT
    > departments have traditionally been viewed as cost centers, though
    > they have learned to provide a business-case analysis for IT
    > initiatives. Information security departments are trying to figure
    > out how to do the same thing.
    > They can't sell security initiatives based on fear anymore. They
    > have to come up with the same justifications as any other business
    > unit, complete with the dreaded metrics, or hard financial facts.
    > ROI is about revenue generation, cost savings or increased
    > productivity. IT has learned to show, for instance, that upgrading
    > the server farm or network will provide x% increased productivity by
    > virtue of faster access of mission-critical applications and that
    > installing a virtual private network (VPN) will provide x% increase
    > in productivity by virtue of availability of the network to remote
    > and mobile employees. But how can security prove ROI for preventive
    > measures that require capital expenditures, additional manpower and
    > a steep learning curve?
    > Some people claim that trying to prove return on security
    > investments is a waste of time. It's all about risk management, they
    > say. Meanwhile, security vendors are champing at the bit to prove
    > that ROI on security is possible and have gone to elaborate lengths
    > to prove that their products will provide significant returns.
    > Managed security service providers are saying, "Just let us handle
    > your security for you, and we'll show you how you can reduce risk
    > and cost."
    > You know you need firewalls, VPNs, a secure network architecture,
    > encryption, digital signatures, improved backup and restore
    > capability, filtering, monitoring, intrusion detection/prevention
    > and single sign-on capabilities. How are you going to justify the
    > expenditures?
    > [...]
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 02:46:36 PDT