Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

None of which is to say ROSI isn't hard work for a security executive; it is. But it's not hard like calculusplenty of researchers and economists have taken care of sigmas and mus and other esoteric economic math already. It's hard like running a marathonROSI requires legwork, and lots of it.

We'll set you on the path to succeed in building and using ROSI as a tool to sell security, with a simple three-step primer. Trust us, your CEO will think it's worth it.Step 1: Rethink your assumptionsExostar's Nigriny is clearly not in the majority when it comes to security professionals and ROSI. The defeatist shrugs that accompany conversations about ROSI have become conventional wisdom. "Most execs want hard numbers to make financial decisions, and we live in a world where you can't always have that," says Rich Mogull, research director at Gartner G2 Cross-Industry Research. "I mean, what's the ROI of a fire extinguisher?"

According to one study the American Society of Safety Engineers (ASSE) cites, the ROI of fire extinguishers is in fact about a $3 return for every $1 invested if you take fire extinguishers as part of a larger corporate health and safety initiativewhich you should, since fire extinguishers (like IT security) rarely show up as a discrete security purchase. (For the sake of our argument, ignore that Mogull's example is hamstrung by the fact that, often, regulation mandates fire extinguishers.)

The point here is ROSI can be calculated and is being calculated. To do so with information security, though, there needs to be a deliberate effort to rethink some of the industry's assumptions and cultural biases. Specifically, there are two biases that need to be eliminated:

Precision is not the goal. One of the reasons that ROSI might feel like an endless path comes from the fact that there has been a natural tendency in the tech sector toward approaching problems with the precision a software engineer would expect. The "hard numbers" Mogull assumes are required.

"This is a classic problem that technologists have," says Kevin Soo Hoo, a researcher at security consultancy @Stake doing ROSI studies, and who at Stanford University wrote his thesis, dense with economic theory, on the subject. "They don't understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn't matter," Soo Hoo says emphatically, as if he's been through this more than a few times. "Choose one!"