My original FOI (Failure of Investment) post was picked up in a private forum and sparked a little conversation. I let the thread take its course and then posted my thoughts. Since it was a reasonable follow up, I have excerpted it below:
It is interesting to see where this idea has gone in the past week or so. It started out with my frustration over the use of ROI and TCO as accurate *predictive* measurements. It think today's activity on Wall Street (and beyond) underscores the old adage that "Past Performance is Not Necessarily Indicative of Future Results". I am not arguing against looking back to try to analyze and learn from the past, but I have little faith in predictive technologies in a relatively new and continuously evolving industry- especially those necessarily based on guesses. You simply cannot account for all tangential and unexpected impacts. Centralizing management of your desktop anti-virus is obviously a good idea and a good investment- until your vendor issues a bad pattern and your IT team gets to repair or re-image all of your workstations. How did you predictively figure that cost into your ROI/TCO/OAA? (OAA = Other Abused Acronym)
To put this in context (I read somewhere that was important), my background is in small business IT- where it is unlikely that the people in the trenches have the time or knowledge to perform thorough generation and analysis of data- and the decision makers are unlikely to have the time to expertise to act on such data if it were presented to them. In this environment it usually takes a failure to get focus on an problem, and if budget is allocated to solve the problem, it had better stay solved. If the same issue returns after the investment, that is much worse than a new problem because you have failed on multiple levels. Thus introducing the metric "Failure of Investment".
As I said in my post, in IT we are judged primarily by the overly-simple question "does it work?" (Really, we are- and if you do not believe that, it may explain why you are currently unemployed- the "A" in CIA is a trump letter). FOI adds "did you keep *that* from happening again?" to the measurement. Like it or not, that's a real improvement in security metrics for most people.
I never believed this situation was limited to small business, and feedback and commentary seem to confirm my suspicions.
Also, since his original post, Andy Willingham did a video interview with CSI (the Computer Security Institute).
Jack
