Re: Update: Money seen as biggest obstacle to effective IT security

[InfoSec News <isn () c4i org>]

Forwarded from: Adam Shostack <adam () lagrange informedsecurity com>

On Fri, Jul 18, 2003 at 02:46:03AM -0500, InfoSec News wrote:
| Forwarded from: Nick Owen <nowen () wikidsystems com>
| 
| </lurk>
| 
| > "Return on investment appears to have fallen out of favor as a
| > measure of the effectiveness of information security spending," Mark
| > Doll, Americas director of Ernst & Young's Security Services
| > division, said in a prepared statement. "It looks like we need to
| > find a credible alternative to conventional ROI approaches in order
| > to secure funds for the information security function."
| 
| I've been chewing on some ideas in this regard.  Any feedback is much
| appreciated.
| 
| ROI is an incomplete measure at best.  It provides an initial glimpse
| of the potential impact a project might have.  It is better to use a
| measure that includes the actual cost of capital, such as Net Present
| Value or economic profit (EVA is the trademarked term).
[...]

| Break security projects down into two categories: enterprise-wide &
| project focused.  If you're protecting the enterprise or an enterprise
| asset such as a customer database, you're helping to decrease or
| maintain the enterprise's cost of capital.  A significant breach will

I think there are two issues here.  The first is that most security
projects do not provide a measurable risk management effect.  The
second is that measurability is hard, and the CSOs who figure it out
will define the profession, in the way that CIOs of companies like
Walmart, who aligned IT with business process, defined the CIO role.

If installing, say, a new PDL* system doesn't provide a measurable
return, in lower operating costs, increased profits, decreased cost of
capital, or anywhere else, then how am I, as an executive, supposed to
decide if I should invest or renew my investment in it?

"It looks like we need to find a credible alternative to conventional
ROI approaches in order to secure funds for the information security
function."

Well, perhaps we should find alternatives to the information security
function that work within conventional economic models?  Which brings
me to my second point.  You only get so many years of exceptionalism.
If we want to compete for budget, we have to play by the rules that
the judges set.  Those rules very rarely include "And we'll give the
paranoids a few percent of the capital we have available.  When
they're done, they'll still tell us that we're insecure, but boy did
they have fun."

I'm personally impressed by the work that @Stake is doing, applying QA
metrics to security analysis of projects, applying business metrics to
security investment, etc.  While it's challenging, I fully expect that
they, or someone following them, will bring about useful change.

Adam


* I hope there isn't a PDL product category out there. My critique
applies to an awful lot of systems.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.