Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

With ROSI, like all risk assessment, the goal instead needs to be accuracy, which isn't at all the same thing as precision. Notice that the ASSE study suggested about $3 for every $1. There was no attempt here to delineate the exact return, because that's not the point. The point is to provide a set of guiding principles from which you, your CEO and CFO can make good decisions about what's acceptable. In other words, the CEO doesn't (or shouldn't) care if a return is precisely $3.13 for every $1 spent or $2.97. He cares that it's accurate to suggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a 1-to-3 return.

The dogmatic I.T. mind-set must be eliminated. It's obvious why IT tends to approach problems with binary thinking. It is, after all, the language of the trade. But an on-off, "either we've been hacked or we haven't" view of the problem will make ROSI an impossible task. (Some believe it helps to eliminate binary terms from their discussions so that security becomes risk management and threats aren't eliminated, they're mitigated and so forth.)

Back to the fire extinguishers. A binary thinker might suggest that, since there was no fire last year, there was no ROSI. If that is the attitude at your company, it's time to initiate some awareness and education because that's not how risk mitigation works. Think of it this way: If you wear your seat belt but don't get in a car accident, does that mean you ought not invest in a seat belt because there was no return?

No. You did get a return, because return is not measured in a dogmatic world of what did or did not occur, but in the stochastic world of what might occur and how likely it is to occur. That is the game of risk; prepare for something to happen by investing in ways to stop it from happening.

"You can't get from the cost of security incidents directly to a return on investment," says Thomas Koulopoulos, president, CEO and founder of Delphi Group, an information technology research and consulting company. "You need to focus on the intermediate step. The probability."Step 2: Do the legworkHere's just a portion of the effort Nigriny put into his patch management ROSI: "I am throwing into it how many patches per year I apply, based on three years of data. I sit down with the network team and talk about the types of patches, their criticality level. I look at how long it takes to vet the patch. How many rollouts result in a rollback because of problems with the patch. Then I look at how many patches I should have installed, based on all the patches on all the mailing lists I subscribe to. I dedicate a day to that, but I could take weeks. Eventually, I come up with total time I was at X-percentage risk level before the patches were installed. Here's the average cost of an incident to us; that's my baseline number. You absolutely have to have that. There are industry baselines for this you can find. You can talk to peers at other companies about their baselines and massage them for your situation."