Information Security News mailing list archives
Re: Security Expected To Take A Larger Bite Out Of IT Budgets
From: InfoSec News <isn () c4i org>
Date: Wed, 9 Jun 2004 05:07:33 -0500 (CDT)
Forwarded from: Nick Owen <nowen () wikidsystems com> ROI is a poor measure for all financial decisions. Information security just demonstrate it's major weakness - it ignores the cost of capital. What risk management projects do is reduce the cost of capital. Say you have two projects, one costs $1,000,000 and saves $100,000 a year; the other costs $100,000 and saves $10,000 a year. Which do you do? ROI and payback are the better for project A. However, what if project A is far riskier than project B? If your cost of capital for project A is 12%, doing project A is a *bad idea* because is creates only $833,333 in value. If the cost of capital for Project B is less than 10%, it is a good idea. ROI would have you do both. IMO, this unhealthy focus on a very poor measure is hurting information security. To suggest that my company should spend X% on security because our peers do is beyond absurd. How do I best my competition? There is no need for new ways to measure information security, they exist already: ROIC, EVA, etc. anything that includes at the cost of capital. -- Nick Owen CEO WiKID Systems, Inc. 404-962-8983 http://www.wikidsystems.com Two-factor authentication, without the hassle factor. InfoSec News wrote:
http://www.techweb.com/wire/story/TWB20040607S0013 By Antone Gonsalves TechWeb News June 7, 2004 Spending on security-related technology is expected to increase over the next couple of years, leveling off at 5 percent to 8 percent of the IT budget of global 2000 companies, a market-research firm said Monday. Security spending takes up from 3 percent to 4 percent of IT budgets today, the Meta Group said in a report on calculating information-security spending. That amount, however, is expected to increases at a compound annual growth rate of between 8 percent and 10 percent through 2006, before reaching a plateau. In general, information security doesn't have metrics for return on investment that's been adopted across industries. A chief financial officer typically defines ROI as dollars spent balanced by additional revenue or accrued profit, but "security doesn't generate revenue or improve profits in a predictable manner," Meta analyst Chris Byrnes said. Therefore, Meta recommends that companies look to best practices in their industry as a way to determine how much they should spend as a percentage of their IT budgets.
[...] _________________________________________ ISN mailing list Sponsored by: OSVDB.org
Current thread:
- Security Expected To Take A Larger Bite Out Of IT Budgets InfoSec News (Jun 08)
- <Possible follow-ups>
- Re: Security Expected To Take A Larger Bite Out Of IT Budgets InfoSec News (Jun 09)