UPDATE: Bumped because of comments
It’s important to remember that there is no return on security investment. Security is a cost center that exists to prevent or reduce loss. It is not financially correct to believe you are “earning” a “return” by spending time and money to avoid a loss.
I have a problem with this statement. Not in the fact that security related purchases do not generate revenue. Unless you are selling security as a service that is a true statement. Rather, I have a problem with Richard down playing the impact that a good security plan can have on an organizations environment and inevitably the organizations profit margin.
An overall security plan is not designed, or should not be designed (unless it is the SBP Security model), to merely “prevent or reduce loss.” It should be designed with the intent of providing an organization’s personnel with additional tools and practices to manage their processes and technologies while reducing risk. The technologies that are implemented as a part of a security plan should not be utilized by the organization to only prevent, identify, and mitigate security related issues. The administrators within the organization should be using them to help identify problems that are impacting performance and availability.
I am not a metrics guru nor am I a wizard with marketing numbers. But I do know for a fact that policies, network architecture, change management, SDLC, OS/app/network monitoring, system/network hardening, incident response plans, BC/DR plan, and all of the other areas involved with a good security plan will have a positive financial effect on my organization. Perhaps I should start reading the Security Metrics blog a little more or go and get my MBA so that I can address the issue of ROI, or Security ROI, in a language that my executives can understand.
I am hoping that people don’t consider this just another issue of semantics. It is not. The issue actually lies in the definition of ROI. Although ROI can be defined as “the ratio of money gained or lost on an investment relative to the amount of money invested.” We should also remember that the very nature of ROI “can be modified to suit the situation -it all depends on what you include as returns and costs.”
As to the question of how Richard’s friend should present this to his management to justify monitoring…I have to agree with Richard’s recommendation. I would, however, try to working in the benefits monitoring will have on the deployment and management of the organizations systems, applications, and network. Specifics to man hour and maintenance fee reductions might help if they can be determined. But, as executives are use to thinking along these lines, just mentioning the benefits to productivity should start the wheels turning.
BTW, make sure you read the comments to Richard’s post left by his readers. They contain some good advice and techniques to justify monitoring.
Go forth and do good things,
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.