How To

counsel

Ken Pfeil is CSO at Capital IQ, a Web-based provider of financial data services in New York City. His experience spans two decades with companies such as Avaya, Dell, Identix, Merrill Lynch and Microsoft. He answers readers' questions about quantifying a return on security investment (ROSI).

By CSO Contributor

Page 2

at a later point, once your metrics are in place.Q: Companies continue to buy software from vendors, regardless of whether those vendors have adopted secure coding practices and secure development lifecycles. That said: What is the financial incentive for software vendors to invest in educating their developers, to introduce security into their software development life cycle and to improve their overall security stance? Is risk avoidance the only justification, or are hard-dollar savings and revenue driven by developing more secure code?A: Security has to be viewed as a competitive advantage for companies. Consumers as a whole should demand more from their vendors. Until customers start making security an equal priority with performance and ease of use, vendors will continue to put secure coding on the back burner in order to shorten time to market and remain competitive in their space. Hard-dollar savings to the vendors can be calculated easily by the revenue lost to a competitor that is not releasing 30 security patches a month.Q: What do you find to be the most compelling business argument for investing in security for C-level executives?A: This depends on the C-level executive. Chief marketing officers are likely to have reputational risk foremost in their minds. A CFO will probably think of compliance as the main business case for investing in security. More and more, CEOs are looking at security as a competitive advantage rather than as a necessary evil.Q: All the models for calculating ROSI seem to involve two factors: the probability of an event and the cost if such an event occurs. I find that estimating these is very subjective. Am I missing something?A: You are correct. Unless you've established the necessary metrics applicable to your business model to draw your return estimate, it is very subjective. Especially the first time you try to calculate ROSI. These all become much more accurate over time.Q: Is it possible to accurately quantify ROSI? If so, are there industry standard metrics in place to measure ROSI?A: Yes, it is possible to accurately calculate ROSI, but your calculations are only as good as your metrics. I'm not aware of industry standard metrics for ROSI, but these resources might help you:

The Systems Security Engineering Capability Maturity Model: www.sse-cmm.org/metric/metric.asp

The Security Metrics Consortium: www.secmet.org

The National Institute of Standards and Technology's Security Metrics Guide for Information Technology Systems: csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf

The Institute for Security and Open Methodologies' Security Metrics Risk Assessment Values:

www.isecom.org/securitymetrics.shtmlQ: I've heard that net present value is a better gauge than ROSI. Do you agree? What are the main differences? Are there any scenarios in which you'd want to use net present value instead of ROSI? A: This is a another great question, and another one that is difficult to sum up in just a few sentences. NPV is great when you are calculating return based on estimated cash flow and initial investment, but you rarely will see an actual tangible cash flow or return from investing in an area or form of risk management. NPV is used most of the time to justify starting an initiative, and ROSI is used when a security initiative has to be quantified. You might have to do a project whether or not it will show a return at all, but at least with ROSI you can compare to scale among similar projects and investments with greater flexibility. ROSI's flexibility is what gives it purpose.