Last week, right before heading into the Catskills for the blacksmith conference, I started an interesting conversation with some friends by tossing out the following acronym-laden opinion:
"Not that you asked, but IMHO: ROI and TCO are SWAG at best. And, they are rarely at their best"
Michael Santarcangelo (you know, the Security Catalyst) responded first, then a few others joined in- it was better than the normal "is there ROI on Security?" conversation- and since the smart kids were indulging me by considering my opinions I threw out this idea:
"The only viable measurement in security is failure."
Andy Willingham (you know him as Andy, IT Guy) took the idea and proposed the acronym FOI, Failure of Investment. And that's it, FOI, a real-world metric we can all understand. In this post, Andy did a great job of explaining FOI.
In most of my IT career (small-mid business, auto dealers a specialty) I worked where margins are razor-thin and you really have to justify every expense. Things aren't broken until proven broken, usually by a failure. Firewalls, anti-virus, backup systems- these are just a few of the things I could only spend money on after an incident. I call this the "I told you so" budget method. Oh, yeah- and once you get that money, the problem had better not happen again. Note that in this context, a new type of failure doesn't count as FOI unless you have invested in preventing that specific class of failure.
I've said many times that in IT we are judged primarily by the overly-simple question "does it work?". FOI adds "did you keep *that* from happening again?" to the measurement. Like it or not, that's a real improvement in security metrics for most people.