Security ROI is in the Eyes of the Beholder
UPDATE: Bumped because of comments
A post from Richard Bejtlich caught my eye the other day. In his post “Network Security Monitoring Case Study” Richard says:
It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.
I have a problem with this statement. Not in the fact that security related purchases do not generate revenue. Unless you are selling security as a service that is a true statement. Rather, I have a problem with Richard down playing the impact that a good security plan can have on an organizations environment and inevitably the organizations profit margin.
An overall security plan is not designed, or should not be designed (unless it is the SBP Security model), to merely “prevent or reduce loss.” It should be designed with the intent of providing an organization’s personnel with additional tools and practices to manage their processes and technologies while reducing risk. The technologies that are implemented as a part of a security plan should not be utilized by the organization to only prevent, identify, and mitigate security related issues. The administrators within the organization should be using them to help identify problems that are impacting performance and availability.
I am not a metrics guru nor am I a wizard with marketing numbers. But I do know for a fact that policies, network architecture, change management, SDLC, OS/app/network monitoring, system/network hardening, incident response plans, BC/DR plan, and all of the other areas involved with a good security plan will have a positive financial effect on my organization. Perhaps I should start reading the Security Metrics blog a little more or go and get my MBA so that I can address the issue of ROI, or Security ROI, in a language that my executives can understand.
I am hoping that people don’t consider this just another issue of semantics. It is not. The issue actually lies in the definition of ROI. Although ROI can be defined as “the ratio of money gained or lost on an investment relative to the amount of money invested.” We should also remember that the very nature of ROI “can be modified to suit the situation -it all depends on what you include as returns and costs.”
As to the question of how Richard’s friend should present this to his management to justify monitoring…I have to agree with Richard’s recommendation. I would, however, try to working in the benefits monitoring will have on the deployment and management of the organizations systems, applications, and network. Specifics to man hour and maintenance fee reductions might help if they can be determined. But, as executives are use to thinking along these lines, just mentioning the benefits to productivity should start the wheels turning.
BTW, make sure you read the comments to Richard’s post left by his readers. They contain some good advice and techniques to justify monitoring.
Go forth and do good things,
Cutaway
SecurityMetrics, AndyITGuy, ROI, SROI, Security Ripcord, Richard Bejtlich, Return on Investment, SBP Security Model, Security Return on Investment
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
July 13th, 2007 at 11:39 am
Way to go Cutaway! Excellently thought out and researched post.
July 13th, 2007 at 1:35 pm
Hi Cutaway,
I see what you mean, but consider this. You said:
An overall security plan is not designed, or should not be designed (unless it is the SBP Security model), to merely “prevent or reduce loss.” It should be designed with the intent of providing an organization’s personnel with additional tools and practices to manage their processes and technologies while reducing risk.
Continue your statement — “reducing risk…” of what? Loss. So security ends up being an activity to prevent or reduce loss.
Just a thought.
July 13th, 2007 at 2:11 pm
Yes, sir. We are reducing the “risk of loss.”
I am trying to get people to also focus on the “manage their processes and technologies” which our security practices and technologies allow them to do by providing a detailed look at technical and logical inputs and outputs. I would also like the executives to realize that these benefit cascade and offer, in the long run, return on investment when taken into consideration with the overall processes and organization.
Thank you,
Cutaway
July 13th, 2007 at 2:28 pm
[...] a related post on the same Bejtlich article, Cutaway says: An overall security plan is not designed, or should not be designed (unless it is the SBP [...]
July 23rd, 2007 at 3:15 am
“But I do know for a fact that policies, network architecture, change management, SDLC, OS/app/network monitoring, system/network hardening, incident response plans, BC/DR plan, and all of the other areas involved with a good security plan will have a positive financial effect on my organization.”
i see what you mean, especially being a security guy, but arent most of those things above to conserve resources and to prevent/detect loss(intrusions)?
now of course, preventing an intrusion or breach or loss of data may have a positive financial effect by not causing a loss but i’m not sure i see how how the money expended yearly on the above creates a positive financial effect. care to throw some examples our way?
-CG
July 23rd, 2007 at 4:48 am
@Chris,
Yes, each of these taken individually are can be considered loss prevention measures. Individually there is no ROSI. My contention is that taken in consideration with a well implemented security plan there can and will be an increase in effectiveness. It is this effectiveness that has an impact on the revenue of the organization.
This may all come from my ignorance of how ROI is taken calculated. If it is just designed to concentrate on one single aspect of the puzzle then I concede the point. But if ROI can be calculated taking into consideration multiple factors then I would argue the you will be able to see the difference generated by the combination of security products and controls.
There are definitely aspects of a security plan that are specifically designed to prevent or minimize loss. There is just no way around it. The time spent on developing a incident response plan and then implementing it during an incident is all loss prevention and mitigation.
I have sat here for about 20 minutes trying to come up with a good example as you requested. Unfortunately I just cannot do it. It is not that I cannot think of something. I just cannot think of something where it cannot be argued that it is just loss prevention and mitigation. Really, I think that the whole ROI argument is fairly futile. The person in charge is going to think about it the way they want to think about it. If they consider a control to be a cost benefit or a loss prevention then so be it. Most executives are not going to change their mind as to how they think of these types of things.
I, however, tend to be the optimist. I think that security solutions have a positive impact throughout an organization. I think that the controls, when implemented correctly, make the whole system more productive and efficient. And this productivity and efficiency is what generates money. That is how I try to sell security within my organization. Hopefully more people start seeing it the same way. But, I guess, it is just a little bit too much like asking them to “have faith.”
UPDATE: If you have gotten this far you should definitely go check out Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics
Go forth and do good things,
Cutaway
July 23rd, 2007 at 11:43 pm
I am by no means an ROI Ninja either. this sums it up well:
“The person in charge is going to think about it the way they want to think about it. If they consider a control to be a cost benefit or a loss prevention then so be it. Most executives are not going to change their mind as to how they think of these types of things.”
here is an example i can think of, totally made up but how about:
a company programs in money every quarter/year for dealing with losses/intrusions/forensics/etc if you can put measures in place and you dont have a loss or need to do an investigation a positive financial gain can be seen?
thanks for the good reply
January 1st, 2008 at 3:40 pm
[...] The feed reader then produced Cutaway’s Security ROI is in the Eyes of the Beholder. [...]