In Depth
Calculated Risk: Return on Security Investment
Sure, determining ROSI (return on security investment) is difficult. But it's also the key to selling your budget. Here's our three-step guide to getting started.
By Scott Berinato
Nigriny thinks there are other, underrated sales skills CSOs need to foster in themselves. A general familiarity with accounting is priceless, he says. Also, "You have to be good at public speaking and at PowerPoint engineering. If you're speaking to the CFO, expect him to do some number crunching; have your numbers ready for him. The CEO? The executive summary is far more important. Talk to the CFO ahead of time; you'll have his support, and the CEO won't have to sit through the numbers discussion," says Nigriny.
We weren't kidding when we said this is laborious, intensive work. To Nigriny, ROSI is fractallike, in that the closer he examines his situation, the more intricate it becomes. "Every time I thought I had it covered, a raft of new variables came up. I've just got this swag of numbers here I have to deal with," a nonplussed Nigriny says.
It's up to the CSO to set the thresholds of what's really needed for a particular scenario. You can make ROSI as simple or as complicated as you think is necessary, and an obvious tenet that emerges is that a simpler ROSI will be somewhat less accurate than a detailed ROSI, but the detailed version will require ever more legwork.
Step 3: Do the math
In the end, the math is simple. You subtract cost from benefits. A positive number is good: a return on investment. A negative number is bad: You're spending more than you're getting.
Of course, the math behind the variables and coefficients that go into the costs and benefits is massively complex. Fortunately, if you've got raw data from your legwork, someone else has done or will do the difficult computations for you. Still, there are some basic risk computations you should know. Here they are:
Annual Loss Expectancy. ALE is the foundation of risk assessment. It is what it sounds like: how much money you expect to lose per year due to some sort of security incident. Note that this is different than the raw cost of an incident (which, remember, you should always keep as a baseline). It's actually the raw cost times the probability of an event in the next year. So the ALE of a security breach that costs $1 million and has a 40 percent chance of happening is:
Incident cost X Probability of incident = ALEModified ALE. mALE is the same equation, but with
$1,000,000 X 0.4 = $400,000
return on security investment
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
