InfoSec Value Statement vs ROI

In my podcast interview, NetWitness CSO Edward Schwartz stated that “we don’t have the kind of ROI stories in security that other industries have.”  As a veteran of several IT events, I’ve been bombarded with various Return on Investment(ROI) projections and a few Value-centric arguments of how a particular product or service can address corporate risks.  Ever the cautious consumer, I began to ponder the implications of these perspectives.

ROI is a reliable business metric in most industries.  The simplest description of ROI is the ratio of an investment’s return less its cost to the cost of the investment.  Carnegie Mellon University’s Don O’Neill described ROI components for the security industry in a February 2007 paper.  His analysis focused on the ratio between savings and cost.  Before you start making ROI calculations for the next board meeting, know that things are never that simple.  O’Neill’s paper cites three different calculations of cost and savings that rely on operational issues in the enterprise. 

As we go down the ROI rabbit hole, things get curiouser and curiouser.  In a September 2008 article, Bruce Schneier revealed some of the flaws that cast doubt on the quality of infosec ROI metrics. According to Schneier, “Cybersecurity [ROI] is considerably harder, because there just isn’t enough good data. There aren’t good crime rates for cyberspace, and we have a lot less data about how individual security countermeasures — or specific configurations of countermeasures — mitigate those risks. We don’t even have data on incident costs.”

Schneier’s concerns related to the actuarial assumptions inherent to conventional ROI metrics include the probability and impact of incidents.  Natural disasters and certain man-made incidents have years of reliable data upon which insurance premiums are based.  Schneier points out that is not the case for information threat vectors.  “One problem is that the threat moves too quickly. The characteristics of the things we’re trying to prevent change so quickly that we can’t accumulate data fast enough. By the time we get some data, there’s a new threat model for which we don’t have enough data. So we can’t create ALE models.”

Our customers, the business stakeholders, will regard ROI as a critical consideration regardless of its flaws.  Take heart – all is not lost.  The same cognitive mechanisms that draw comfort from ROI metrics also respond to an appeal to an investment’s value statement.  According to Edgewater Blog’s Ahmed Hafeez, “sometimes there are cases when ROI is not clearly defined, is impossible to define, or simply not that important to the stakeholders. Under such circumstances a value statement can be instrumental or even a must. They help overcome resistance, bind together stakeholders, and focus the project around delivering real business value.” 

A value statement connects a project or investment to the mission and values of the organization.  There are cases were value overrides financial ROI.  Consider that compliance investments often do not carry a positive ROI.  However, their positive value extends to the brand equity of the company and the confidence its customers bestow.  Below are the typical components of a value statement:

• Describe traits or qualities that are considered imperative
• Describe actions which align with corporate values and culture 
• Illustrate how the organization will behave toward customers, suppliers, employees, partners and other stakeholders
• Identify the business benefits of the values in action

Am I arguing that we should ban ROI from tactical and strategic security planning?  Absolutely not!  We must understand that such plans require long-term vision that is defeated by a myopic focus on financial ROI. According to Eddie Schwartz, “real events and real activities get attention.” A cogent value statement combined with a best-effort ROI can enhance both the bottom line and the security posture of the company by identifying the operational conditions for success.