Security RROI (Reduction of Risk on Investment)
The security blogosphere sure is exciting these days. I can’t decide whether to tune into the iPhone junkie wars, the InfoSec Sellout soap opera or the Security ROI cage match!
I’m going to pick the latter because quite honestly, the other two are about as inflated as Bea Arthur’s girdle…
(edit: link added for Cutaway whose predilection towards Bea Arthur and her undergarments are disturbing at best…) Warning…May Cause Chaffing…)
Unless you’ve been under a rock (or actually, gasp!, working) you’ve no doubt seen Rich Bejtlich’s little gem titled "No ROI? No Problem" that re-kindled all sorts of emotive back and forth debating the existence of Security ROI.
It was revisited by Rich here and then here…and then picked up by Lindstrom, Hutton, Cutaway and the rest of the risk management cognoscenti. All good stuff.
It seems that the unofficial scoring has the majority of contributors to the debate suggesting that Security ROI does not exist…sort of. The qualification of the word "return" really seems to be the important lynchpin here as contribution (margin, profit, etc.) versus cost avoidance really is what sends people off the deep end.
It appears that if we define ‘return’ to suggest that what you get back is a way of avoiding shelling out money, then indeed, one may quantify a return on the investment made.
Fine. I’m good with that. To a point.
However, I’ve never used ROI in any metric I’ve produced. NPV? Nope. ROSI? Nuh-uh.
What I have chosen to use is RROI — the reduction of risk on investment. HA! Another term.
Basically, I’ve used various combinations of metrics and measurements to quantify data points and answer the question:
"If I invest in some element of my security program (people, process, technology) — or after I have invested in it — am I more secure than I was before and how much more? Furthermore, how should I manage my investment portfolio to give me the best reduction of risk?"
One doesn’t hire security guards because of an expectation that this action will cause one to be more profitable; it’s a cost of doing business that allows one to asses the risk based on impact and decide how, if at all, one could or should invest in security to defray the impact and cost associated with the event(s) one is trying to mitigate.
Ah yes, the old "why would you spend $1000 to protect a $10 asset?" question. Can you answer this question for every security investment you make?
I’d say that I’ve always been able to communicate what the "return" (see above) would be on investments made and done so in a manner that has always seen my security budgets grow when necessary and trim when warranted. The transparency I strive to produce is communicated in business terms that anyone who can understand basic math and business logic can process. Maybe I’m just lucky.
I’m not saying I have the problem licked or that I found the holy grail, but the problem just doesn’t seem to be as daunting as some would have you believe. Start small, be rational and build and manage your portfolio accordingly.
So, how many of you have risk dashboards that can, in near-time, communicate where you invest, why and how this maps to the business and helps you most effectively manage risk per dollar spent? This is what’s really important.
I’m just wondering that instead of trying to globally force-feed a definition across a contentious landscape of religion and philosophy, perhaps we could spend the time arguing less about terms and more about solving problems. Ask the business how they want to see your security value communicated and go from there. If they want ROI, then fine…define the "R" appropriately and move on.
I’m going to "return" to work now… 😉
/Hoff
WHAT??? No links or pics to Bea Arthur's girdle?? Frankly, I am very disappointed.
Cutaway
…ask and ye shall receive. Link added.
/Hoff
"why would you spend $1000 to protect a $10 asset?"
"Because there's a good probability that in the absence of additional controls, it be abused at least 101 times?"
or
"Because if we don't, the stupid (pci/glba/hipaa, etc.) compliance people will fine us $991 dollars or more?"
You sir, are right on. We've been thinking about this – it's a little more difficult than it first appears, and it's an incomplete metric in terms of justification for purchasing additional controls, but I'm hopeful that it's the beginning of the right approach.
You know, Hoff, sometimes you really DO offer something useful, and I really like how RROI rolls off the tongue and just makes sense without saying ROI or cost.
Yeah, but does it blend?
{See Die, iPhone, Die…post above}
😉