“The person in charge is going to think about it the way they want to think about it. If they consider a control to be a cost benefit or a loss prevention then so be it. Most executives are not going to change their mind as to how they think of these types of things.”

here is an example i can think of, totally made up but how about:

a company programs in money every quarter/year for dealing with losses/intrusions/forensics/etc if you can put measures in place and you dont have a loss or need to do an investigation a positive financial gain can be seen?

thanks for the good reply

Yes, each of these taken individually are can be considered loss prevention measures. Individually there is no ROSI. My contention is that taken in consideration with a well implemented security plan there can and will be an increase in effectiveness. It is this effectiveness that has an impact on the revenue of the organization.

This may all come from my ignorance of how ROI is taken calculated. If it is just designed to concentrate on one single aspect of the puzzle then I concede the point. But if ROI can be calculated taking into consideration multiple factors then I would argue the you will be able to see the difference generated by the combination of security products and controls.

There are definitely aspects of a security plan that are specifically designed to prevent or minimize loss. There is just no way around it. The time spent on developing a incident response plan and then implementing it during an incident is all loss prevention and mitigation.

I have sat here for about 20 minutes trying to come up with a good example as you requested. Unfortunately I just cannot do it. It is not that I cannot think of something. I just cannot think of something where it cannot be argued that it is just loss prevention and mitigation. Really, I think that the whole ROI argument is fairly futile. The person in charge is going to think about it the way they want to think about it. If they consider a control to be a cost benefit or a loss prevention then so be it. Most executives are not going to change their mind as to how they think of these types of things.

I, however, tend to be the optimist. I think that security solutions have a positive impact throughout an organization. I think that the controls, when implemented correctly, make the whole system more productive and efficient. And this productivity and efficiency is what generates money. That is how I try to sell security within my organization. Hopefully more people start seeing it the same way. But, I guess, it is just a little bit too much like asking them to “have faith.”

UPDATE: If you have gotten this far you should definitely go check out Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics

Go forth and do good things,
Cutaway

i see what you mean, especially being a security guy, but arent most of those things above to conserve resources and to prevent/detect loss(intrusions)?

now of course, preventing an intrusion or breach or loss of data may have a positive financial effect by not causing a loss but i’m not sure i see how how the money expended yearly on the above creates a positive financial effect. care to throw some examples our way?

-CG

I am trying to get people to also focus on the “manage their processes and technologies” which our security practices and technologies allow them to do by providing a detailed look at technical and logical inputs and outputs. I would also like the executives to realize that these benefit cascade and offer, in the long run, return on investment when taken into consideration with the overall processes and organization.

Thank you,
Cutaway

I see what you mean, but consider this. You said:

An overall security plan is not designed, or should not be designed (unless it is the SBP Security model), to merely “prevent or reduce loss.” It should be designed with the intent of providing an organization’s personnel with additional tools and practices to manage their processes and technologies while reducing risk.

Continue your statement — “reducing risk…” of what? Loss. So security ends up being an activity to prevent or reduce loss.

Just a thought.