Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Expected To Take A Larger Bite Out Of IT Budgets

From: InfoSec News <isn () c4i org>
Date: Wed, 9 Jun 2004 05:07:33 -0500 (CDT)
Forwarded from: Nick Owen <nowen () wikidsystems com>

ROI is a poor measure for all financial decisions.  Information
security just demonstrate it's major weakness - it ignores the cost of
capital.  What risk management projects do is reduce the cost of
capital.

Say you have two projects, one costs $1,000,000 and saves $100,000 a
year; the other costs $100,000 and saves $10,000 a year.  Which do you
do?  ROI and payback are the better for project A.  However, what if
project A is far riskier than project B?  If your cost of capital for
project A is 12%, doing project A is a *bad idea* because is creates
only $833,333 in value.  If the cost of capital for Project B is less
than 10%, it is a good idea.  ROI would have you do both.

IMO, this unhealthy focus on a very poor measure is hurting
information security.  To suggest that my company should spend X% on
security because our peers do is beyond absurd.  How do I best my
competition?  There is no need for new ways to measure information
security, they exist already: ROIC, EVA, etc. anything that includes
at the cost of capital.

-- 
Nick Owen
CEO
WiKID Systems, Inc.
404-962-8983
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.

InfoSec News wrote:

http://www.techweb.com/wire/story/TWB20040607S0013

By Antone Gonsalves
TechWeb News 
June 7, 2004 

Spending on security-related technology is expected to increase over
the next couple of years, leveling off at 5 percent to 8 percent of
the IT budget of global 2000 companies, a market-research firm said
Monday.

Security spending takes up from 3 percent to 4 percent of IT budgets
today, the Meta Group said in a report on calculating
information-security spending. That amount, however, is expected to
increases at a compound annual growth rate of between 8 percent and 10
percent through 2006, before reaching a plateau.

In general, information security doesn't have metrics for return on
investment that's been adopted across industries.

A chief financial officer typically defines ROI as dollars spent
balanced by additional revenue or accrued profit, but "security
doesn't generate revenue or improve profits in a predictable manner,"  
Meta analyst Chris Byrnes said.

Therefore, Meta recommends that companies look to best practices in
their industry as a way to determine how much they should spend as a
percentage of their IT budgets.


[...]



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org
Previous By Date Next
Previous By Thread Next

Current thread: