Re: [ISN] Security Expected To Take A Larger Bite Out Of IT Budgets

From: InfoSec News (isn@private)
Date: Wed Jun 09 2004 - 03:07:33 PDT

  • Next message: Jm Seigneur: "[ISN] ACM SAC'05 TRECK Track Preliminary CFP: Trust, Recommendations, Evidence and other Collaboration Know-how"

    Forwarded from: Nick Owen <nowen@private>
    ROI is a poor measure for all financial decisions.  Information
    security just demonstrate it's major weakness - it ignores the cost of
    capital.  What risk management projects do is reduce the cost of
    Say you have two projects, one costs $1,000,000 and saves $100,000 a
    year; the other costs $100,000 and saves $10,000 a year.  Which do you
    do?  ROI and payback are the better for project A.  However, what if
    project A is far riskier than project B?  If your cost of capital for
    project A is 12%, doing project A is a *bad idea* because is creates
    only $833,333 in value.  If the cost of capital for Project B is less
    than 10%, it is a good idea.  ROI would have you do both.
    IMO, this unhealthy focus on a very poor measure is hurting
    information security.  To suggest that my company should spend X% on
    security because our peers do is beyond absurd.  How do I best my
    competition?  There is no need for new ways to measure information
    security, they exist already: ROIC, EVA, etc. anything that includes
    at the cost of capital.
    Nick Owen
    WiKID Systems, Inc.
    Two-factor authentication, without the hassle factor.
    InfoSec News wrote:
    > By Antone Gonsalves
    > TechWeb News 
    > June 7, 2004 
    > Spending on security-related technology is expected to increase over
    > the next couple of years, leveling off at 5 percent to 8 percent of
    > the IT budget of global 2000 companies, a market-research firm said
    > Monday.
    > Security spending takes up from 3 percent to 4 percent of IT budgets
    > today, the Meta Group said in a report on calculating
    > information-security spending. That amount, however, is expected to
    > increases at a compound annual growth rate of between 8 percent and 10
    > percent through 2006, before reaching a plateau.
    > In general, information security doesn't have metrics for return on
    > investment that's been adopted across industries.
    > A chief financial officer typically defines ROI as dollars spent
    > balanced by additional revenue or accrued profit, but "security
    > doesn't generate revenue or improve profits in a predictable manner,"  
    > Meta analyst Chris Byrnes said.
    > Therefore, Meta recommends that companies look to best practices in
    > their industry as a way to determine how much they should spend as a
    > percentage of their IT budgets.
    ISN mailing list
    Sponsored by:

    This archive was generated by hypermail 2b30 : Wed Jun 09 2004 - 05:13:18 PDT