Re: [ISN] Security Expected To Take A Larger Bite Out Of IT Budgets

From: InfoSec News (isn@private)
Date: Wed Jun 09 2004 - 03:07:33 PDT

Next message: Jm Seigneur: "[ISN] ACM SAC'05 TRECK Track Preliminary CFP: Trust, Recommendations, Evidence and other Collaboration Know-how"

Previous message: InfoSec News: "[ISN] The ease of (ab)using X11, Part 2"
Maybe in reply to: InfoSec News: "[ISN] Security Expected To Take A Larger Bite Out Of IT Budgets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Nick Owen <nowen@private>

ROI is a poor measure for all financial decisions.  Information
security just demonstrate it's major weakness - it ignores the cost of
capital.  What risk management projects do is reduce the cost of
capital.

Say you have two projects, one costs $1,000,000 and saves $100,000 a
year; the other costs $100,000 and saves $10,000 a year.  Which do you
do?  ROI and payback are the better for project A.  However, what if
project A is far riskier than project B?  If your cost of capital for
project A is 12%, doing project A is a *bad idea* because is creates
only $833,333 in value.  If the cost of capital for Project B is less
than 10%, it is a good idea.  ROI would have you do both.

IMO, this unhealthy focus on a very poor measure is hurting
information security.  To suggest that my company should spend X% on
security because our peers do is beyond absurd.  How do I best my
competition?  There is no need for new ways to measure information
security, they exist already: ROIC, EVA, etc. anything that includes
at the cost of capital.

-- 
Nick Owen
CEO
WiKID Systems, Inc.
404-962-8983
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

InfoSec News wrote:
> http://www.techweb.com/wire/story/TWB20040607S0013
> 
> By Antone Gonsalves
> TechWeb News 
> June 7, 2004 
> 
> Spending on security-related technology is expected to increase over
> the next couple of years, leveling off at 5 percent to 8 percent of
> the IT budget of global 2000 companies, a market-research firm said
> Monday.
> 
> Security spending takes up from 3 percent to 4 percent of IT budgets
> today, the Meta Group said in a report on calculating
> information-security spending. That amount, however, is expected to
> increases at a compound annual growth rate of between 8 percent and 10
> percent through 2006, before reaching a plateau.
> 
> In general, information security doesn't have metrics for return on
> investment that's been adopted across industries.
> 
> A chief financial officer typically defines ROI as dollars spent
> balanced by additional revenue or accrued profit, but "security
> doesn't generate revenue or improve profits in a predictable manner,"  
> Meta analyst Chris Byrnes said.
> 
> Therefore, Meta recommends that companies look to best practices in
> their industry as a way to determine how much they should spend as a
> percentage of their IT budgets.

[...]

_________________________________________
ISN mailing list
Sponsored by: OSVDB.org

Next message: Jm Seigneur: "[ISN] ACM SAC'05 TRECK Track Preliminary CFP: Trust, Recommendations, Evidence and other Collaboration Know-how"
Previous message: InfoSec News: "[ISN] The ease of (ab)using X11, Part 2"
Maybe in reply to: InfoSec News: "[ISN] Security Expected To Take A Larger Bite Out Of IT Budgets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 09 2004 - 05:13:18 PDT