Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

December 09, 2002 — CSO — Jeff Nigriny wants to believe that patch management software is a good investment. but he can't. until Nigriny, chief of security for aerospace and defense supply chain exchange network Exostar, can prove a positive return on his security investment, or ROSI, he will continue to manually patch systems. He will download the patches, perform regression testing, deploy them in a staging area, determine what machines need patches and then, finally, spit them out onto his network.

"Patch management software seems like the perfect candidate to show an easy return," says Nigriny. "Everyone kind of feels like it's the right thing to do. But I haven't procured a system. And I won'tyet. Why? Because right now the ROSI for it isn't working."

He calls this particular scenario "the most difficult and abstract in terms of risk and return" that he's worked on. It's nothing like 24/7 monitoring, which he said was a cinch to bring to the brass, especially since after he proved an ROSI for monitoring, he also showed that he could cut costs another threefold by outsourcing it.

But with patching, he continues to build and then rebuild his ROSI models, looking for that elusive positive return, all the while fixing his systems the old-fashioned way.

Many of you might be snickering by now because you don't share Nigriny's idealism about the necessity of an ROSI to sell security to the CEO and CFO. In fact, it seems you are legion in your resistance.

It's understandable, in a way. As CISO Tina LaCroix of insurance broker and consultancy Aon points out, "This elusive packaging of the ROI formula to validate our existence is one that may take us down an endless path," a path that probably looks to many CSOs like the one Nigriny's put himself on now with patch management.

But, in fact, it's not an endless path, and we're here to suggest not only that you can use ROSI to sell security internally but that you must. As good a reason as any for the mandate is this: Economist Frank Bernhard's research shows about six cents of every revenue dollar is at risk due to a lack of information security, whereas many companies spend barely a dime of their IT dollar on security.

"I'm not sure why IT tends to disregard these tools; it's a bit frustrating to keep hearing you can't do it accurately," says Bob Jacobson, founder and president of International Security Technology (IST), which handles physical and logical security risk assessment. "It's not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization, if they have the willingness to learn this."