Research indicates managers understand the value of managing information security risk and the importance of communicating that value in measurable terms to executives and stakeholders. But there's one question a lot of people are asking: why is it so difficult to determine ROI on information security? Christopher Hoff, Chief Architect of Security Innovation for Unisys, posed this question on his blog after discussing the topic at a conference in Nice, France with "a really smart person" who "leads the innovation efforts at a very large financial institution in the UK." The "really smart person" asked Hoff:
Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?Hoff elaborates:
He suggested then that things like firewalls, IPS's, AV, etc. had a near zero-sum impact when measured in cost against these acceptable losses. Instead of the old axiom regarding not spending $100,000 to protect a $1,000 asset, he was actually arguing about not spending $100,000 to offset an acceptable loss of $1,000,000,000...Hoff struggled to answer the question, but once blog commenters got in on the conversation, he recalled an earlier post he'd written titled Security RROI (Reduction of Risk on Investment). He and others in on the debate seem at odds when it comes to justifying security savings using ROI. Some go so far as to say there is no ROI since security is a cost center, while others say suggest ROI can be calculated, but there are more preferable metrics.
It's a dizzying debate, for sure. (But a valuable one, nonetheless; just ask TJX Companies.) Care to chime in?