Sure, determining an ROI for security is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
Reader ROI In this story:
- Find the data you need to calculate a security ROI
- Learn the basic maths to do it
Jeff Nigriny wants to believe that patch management software is a good investment. But he can't. Until Nigriny, chief of security for aerospace and defence supply chain exchange network Exostar, can prove a positive return on his security investment (ROSI), he will continue to manually patch systems. He will download the patches, perform regression testing, deploy them in a staging area, determine what machines need patches and then, finally, spit them out onto his network.
"Patch management software seems like the perfect candidate to show an easy return," says Nigriny. "Everyone kind of feels like it's the right thing to do. But I haven't procured a system. And I won't - yet. Why? Because right now the ROSI for it isn't working."
He calls this particular scenario "the most difficult and abstract in terms of risk and return" that he's worked on. It's nothing like 24/7 monitoring, which he said was a cinch to bring to the brass, especially since after he proved an ROSI for monitoring, he also showed that he could cut costs another threefold by outsourcing it.
But with patching, he continues to build and then rebuild his ROSI models, looking for that elusive positive return, all the while fixing his systems the old-fashioned way.
Many of you might be snickering by now because you don't share Nigriny's idealism about the necessity of an ROSI to sell security to the CEO and CFO. In fact, it seems you are legion in your resistance. It's understandable, in a way. As CISO Tina LaCroix of insurance broker and consultancy Aon points out, "This elusive packaging of the ROI formula to validate our existence is one that may take us down an endless path", a path that probably looks to many CIOs and CSOs like the one Nigriny's put himself on now with patch management.
But, in fact, it's not an endless path, and we're here to suggest not only that you can use ROSI to sell security internally but that you must. As good a reason as any for the mandate is this: economist Frank Bernhard's research shows about six cents of every revenue dollar is at risk due to a lack of information security, whereas many companies spend barely 10 cents of their IT dollar on security. "I'm not sure why IT tends to disregard these tools; it's a bit frustrating to keep hearing you can't do it accurately," says Bob Jacobson, founder and president of International Security Technology (IST), which handles physical and logical security risk assessment. "It's not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CIOs and CSOs] have an opportunity to make a major contribution in their organisation, if they have the willingness to learn this."
None of which is to say ROSI isn't hard work; it is. But it's not hard like calculus - plenty of researchers and economists have taken care of sigmas and mus and other esoteric economic maths already. It's hard like running a marathon - ROSI requires legwork, and lots of it.
We'll set you on the path to succeed in building and using ROSI as a tool to sell security, with a simple three-step primer. Trust us, your CEO will think it's worth it.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.