Calculated Risk: Return on Security Investment

Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.

"My experience is that the business managers have clear ideas about loss, risk and what it will cost them and probably more experience than the security guys know," says Jacobson of IST. "You have to go to Mr. Jones and ask him what it would cost him to be down, what is his optimum recovery time. He will have better answers than you think, especially as he thinks about it more."

Know thyself. With all of this data in hand, you can start to build a threat profile. You'll need to know the threats specific to your industry, the probabilities of certain types of attacks based on the kind of company you have or the kind of infrastructure you use. Crude but true example: Financial services companies face more attacks than manufacturing companies. Companies in the news endure spikes in attempted incidents. The Riptech statistics actually do some demographic breakdowns based on industry sector.

Calculate conservatively. We're moving from how and where to get data to how you're going to present it. When pulling together numbers for a ROSI study, always play it safe. Don't assume costs or benefits you're not sure of. If someone says the probability of an attack is between 10 percent and 20 percent, use 20 percent. If they say the cost of an attack is $50,000 to $100,000, take the bigger number.

And use "soft returns" as gravy. Soft returns are generally the hardest elements of a security investment to quantify. An improved brand image due to increased security is a soft return. Trying to add these to the equation is difficultsome skeptical CFOs might even dismiss your ROSI argument as "fudged" because of these variables. Therefore, soft returns are more effectively used as an added benefit on top of ROSI when selling executives.

Know your audience. And when selling the bosses, the CSO should learn what those executives are looking for in terms of return. "I can't tell you how many times these things are rejected out of hand, because IT is selling something that the executives aren't even looking to buy," says Delphi's Koulopoulos.

Know how the executives want the ROSI positionedcash savings, productivity gains, increase in securityand move forward that way. Many sources also report that making the ROSI case interactive for executivesallowing them to tweak variables and watch what happens to the ROSIis by far the single most effective selling tool you can use. "The key is not to be defensive about the data, as I think IT sometimes can be," IST's Jacobson says. "Don't defend the model; explain it."