Take 2 FUD and Call Me in the Morning
As independent consultants our advice is often sought by clients about security vendors and their products. Sometimes we participate in the evaluation and buying process overtly, sometimes covertly.
At some stage in this process the client usually remarks on how tired they are of FUD (http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt). Botnets, Russian Mafia extortionists, Chinese spies, industry regulators… the list of nightmarish visions coming from security vendors knows no bounds. When we ask our clients in what context they would rather hear about IT security, many say “show me some ROI!”.
ROI for security
So what is the ROI for security, and do we really believe it? Calculating the probability of a breach, expected cost of cleanup, and cost of non-availability of a compromised system is for many little more than guesswork. If you don’t know these numbers, then how on earth do you expect your security vendors to?
Most of the believable ROI work we have seen for security products and services centres around increasing the efficiency of staff, spreading security knowledge around the organisation, removing duplication of effort, and in providing decision support to IT administrators. All these are cases where the human in the loop is central to the value proposition.
Hordes of Botnets, Mafioski and Chinese spies can be partly replaced by force multipliers, time savers and skill sharpeners. As for the FUD sale focusing on industry regulations, penalties are almost never as serious as you might imagine, and although regulation is there for good reason, you may want to adjust the priority given to spending $50K to fix a weakness which might, just might, earn you a $5K fine or a ‘stiffly worded letter’ and another 12 months’ grace to fall into line with the regulations.
I say only partly replace - consider the ROI of the following:
- Taking out insurance
- Hiring a better company lawyer
- Having an ethics programme/office/guidebook
- Firing staff that perform poorly.
Sometimes you won’t find a straightforward ROI for security, but try and resist strained assumptions and convoluted calculations in an exercise to justify costs. Ask yourself the question, what would I do if it were my money I was spending?
…and if that doesn’t work…
Take 2 FUD and call me in the morning.
The author
Nick Hutton is a Director of Three Sixty Information Security Ltd, an independent provider of information security professional services and project management to the public and private sector. For more information see www.360is.com or the 360is blog at 360is.blogspot.com