Monday, October 26, 2009

ROSI, not that nonsense again.

I recently listened to a panel discussion on the regulation which shall not be named and heard someone say something stupid (amazing, I know).  He tossed out some very large numbers of dollars that Hannaford Bros has lost and will likely lose in the future due to their breach, he said it could total up to one billion dollars over time- but that it could have been prevented with an expenditure of "only" ten million dollars.  I'm with him so far, even if I am skeptical of the accuracy of some of the figures.  Then he said that "ROI is the answer to your question" and I lost it.  This has nothing to do with ROI, there is no such thing as Return on Security Investment, that's what led to the development of FOI, a real metric.  But back to the case in question, lose a billion because you didn't spend ten million has nothing to do with ROI.  If you must play acronym bingo, it is a case of LoFtI (Loss on Failure to Invest).  Although LoFtI itself is bad, it is a valuable asset in the ITYS (I Told You So) budgeting process (assuming your company survives the loss).  So, what if they spent the ten million and nothing happened?  There's no tangible return on that.  What if you spent the ten million and something bad happened anyway?  That is FOI.

Can we say Hannaford didn't spend "enough"?  While some make that argument, I certainly will not.  How about the opposite- can we say Hannaford (ChoicePoint, TJX, Heartland, et. al.) spent too much?  Well, not TJX, but that is a story best told over adult beverages.  But for the rest, there is a strong argument to be made for this, because what they spent didn't prevent breaches, and thus was a waste of resources (unless the expenditures prevented other breaches- but we can't really prove the negative).  At least we could argue that Hannaford and others spent money in the wrong places.  Yes, I'm talking this in circles, which is all you can do if you talk about security solely in terms of money.  Security is about exposures, vulnerabilities, mitigations and much more.  Of course security costs money, but so does marketing.

Marketing, you say?  Yes, let's talk about marketing in comparison to security.  Marketing people try to provide the most effective programs possible for the money spent, and can measure the results in terms of leads per dollar, and then dig deeper into closing ratios, margins on closed deals, etc.  That is measurable ROI.  That kind of ROI can help steer effective future actions and expenditures.  That kind of ROI doesn't exist in information security.  (By the way, I am well aware that not all marketing expenses deliver measurable ROI).

I'm not suggesting that money isn't important, or that your security efforts shouldn't have value- but I am saying you cannot tell how blue the sky is with a yardstick.