ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Return on Security Investment (ROSI)

Return on Security Investment (ROSI)

| Published: 1/12/2015 3:19 PM | Category: Security | Permalink | Email this Post | Comments (0)
Ed GelbsteinEd Gelbstein, Ph.D.

The need to justify expenditures with a return on investment (ROI) grows steadily as everyone is trying to reduce costs—in the private sectors to “optimize shareholder value,” and in the public sector to “cut public expenditure”— In extreme cases, this leads to what I call saving money regardless of cost (SMRC).

The chief information officer (CIO) and chief information security officer (CISO) are disadvantaged when competing against other corporate functions for funding—security is essentially an expense, while other areas, such as marketing, target new revenue. This is not the only disadvantage CIOs and CISOs face. Other challenges include:

  • The benefits of any investments in security are not accrued by the IS/IT department. They are corporate and, regardless of the numbers (which are difficult enough to estimate), without a business process manager accepting such benefits as being roughly correct and supporting them, the return on security investment (ROSI) becomes a piece of science fiction.
  • There are few, if any, metrics that allow an estimate of the likelihood of a successful cyberattack. This is because new vulnerabilities emerge with every new product or software upgrade, hackers get smarter, malware for sale becomes increasingly available and each organization may become a target of hackers, spies, activists or criminals. We just do not know and have to make guesses about future events. As the Danish physicist Niels Bohr said, “It is very hard to make predictions, particularly about the future.”
  • Worse, this lack of knowledge implies that asking the question, “Are we likely to be a target in the next 12 months?,” in the absence of other indicators, such as detected attempts to penetrate its networks or systems, is the equivalent of tossing a coin:  a probability of 50%  that the answer is yes and a probability of 50% it is no.

My recent Journal article describes the steps to put together a ROSI that is robust enough to withstand close scrutiny, including factors such as conditionalities, e.g., lack of knowledge that the product or service to be purchased will actually work as described by the vendor, that it will be correctly configured and that people will know how to use it. This is not always the case.

There are many ROSI calculators available online and some proposed by serious organizations. Many of them are of doubtful value because they are simplistic and rely on data that needs to be guessed (e.g., mitigated annual loss expectancy).

On the other hand, given that the sums of money involved are modest, how likely is it that there will be a post-implementation benefits audit to validate the original ROSI?

Read Ed Gelbstein’s recent Journal online-exclusive article:
Return on Security Investment—15 Things to Consider,” ISACA Journal, volume 1, 2015.


There are no comments yet for this post.