Security Basics mailing list archives
Re: The Return on Investment of Good Security
From: Tony <tony_l_turner () yahoo com>
Date: Sun, 04 Jan 2009 02:31:24 -0500
Adriel T. Desautels wrote:
Tony, While I understand and respect your point of view I disagree. If you pay for quality security services you will probably avoid suffering the damages of a successful compromise. If you avoid that compromise then you never need to suffer damages and lose money as a result. I suppose thats not really savings, but it does prevent loss.
Very true and I am not debating the need for asset protection, simply the semantics of the term ROI in regards to security expenditures. I just don't see how there is a return, simply a reduction of loss. Obviously mitigating loss can amount to almost the same thing as increasing value or increased earnings when we simply look at dollar amounts on a +/- basis, but it is not earnings we are looking at which is what ROI is focused on. Security is an expense justified to prevent loss, it is not the same thing as generating additional revenue. I understand that when project decisions are made we have to use similar language as the "ROI guys" to get funding for competing projects, but its not ROI.
If on the other hand you do not use a quality service provider then you do run the very high risk of suffering a compromise. So then I'll ask, how much are your assets worth? What is the value of your network, its systems, your emails, your customer information, your source code, etc? Is it worth more than $20,000, is it worth more than $50,000.00? If it is then why would you choose the bunk security service over the real one? So the question really is, are your assets worth protecting Tony? If you're interested I can prove my point about the differences in quality. Have my team do a followup penetration test and allow us to reproduce the threat that you'll likely face in the real world. We'll probably get in, thank god we're the good guys right? Too bad most of the bad guys are testing you better than most of the security providers though. ;] On Jan 3, 2009, at 10:20 AM, tony_l_turner () yahoo com wrote:I've always felt that any attempts to calculate ROI for security investments led to confusion. There really is no return on investment, just mitigated or avoided risk. Its similar to buying insurance (although that creates a certain amount of risk transference) but either is a completely different scenario then buying a server or a new DBMS that directly translates to increased transaction volume or decreased contact times. ROI on security is a misnomer. It is an attempt to justify security expenditures and while some sort of model is needed to represent the impact for the investment and the returns gained, ROI seems a poor choice. ------Original Message------ From: Adriel T. Desautels Sender: listbounce () securityfocus com To: pen-test list Cc: security-basics () securityfocus com Sent: Jan 2, 2009 6:45 PM Subject: The Return on Investment of Good Security Latest blog entry for those who care. This one compares the Return on Investment of good security services to the Return on Investment of poor quality security services. As usual comments and criticisms are welcome and appreciated. Direct link as requested: http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-of.html Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com Sent from my Verizon Wireless BlackBerryAdriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com
Current thread:
- Re: The Return on Investment of Good Security tony_l_turner (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security Tony (Jan 05)
- RE: The Return on Investment of Good Security Daniel I. Didier (Jan 05)
- RE: The Return on Investment of Good Security Warren Brunson (Jan 05)
- Re: The Return on Investment of Good Security Tony (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- <Possible follow-ups>
- The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security Eitan Adler (Jan 05)
- RE: The Return on Investment of Good Security Mercurio, Michael D (Dante) (Jan 05)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 05)
- Re: The Return on Investment of Good Security adeel hussain (Jan 06)
- Re: The Return on Investment of Good Security Ed Fuller (Jan 06)
- Re: The Return on Investment of Good Security Adriel T. Desautels (Jan 06)
- Re: The Return on Investment of Good Security intel96 (Jan 07)