Security is insurance, not an investment - no ROI
Bruce Schnier summarizes and expands on the discussion from several security professionals in his post, “Security ROI” - quoting parts:
“ROI” as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.
And a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives.
I don’t necessarily agree that you should see a direct impact on your bottom line as the result of a security investment. I believe security investment is more like insurance where there may be no direct cost savings, but reduction in potential cost. I also like the insurance analogy because I think most non-security people can quickly grasp this analogy.
Let me explain.
As Bruce alludes to in his article, he traditional model for calculating risk in the security space is:
risk = threat x vulnerability x consequence
In my mind, “security” investment helps provide the mitigation necessary to reduce the vulnerability variable to a point where the risk value is acceptable.
Security countermeasures are a risk mitigation strategy.
Insurance is a little different, it helps offset the consequence variable.
But there is a similarity between “security” and “insurance” that I think most business people can understand.
They are both investments you are happy to pay, because they offset expected risk.
I have health insurance, car insurance, term insurance, permanent insurance, disability insurance, and probably a host of others as a part of my compensation package.
I’m very happy to “throw this money away” because it offsets risk to the point that I’m happy.
If I died today, I know my fiance will be taken care of, financially. I don’t see a direct reduction in my expenses, or increase in bottom line revenue if the threat never materializes.
I think business investment in security products and services are similar.
We implement them to reduce the risk value to the point where we are satisfied.
I like the insurance analogy, and think that it is much more tactile for non-security folks.
Bill