Proving Security ROI in Tough Economic Times
Last Updated: 2008-12-22 16:13:48 UTC
by Mari Nichols (Version: 2)
Security is such an integral of our lives as IT professionals. We constantly fret about how to secure our networks ... to the point of paranoia. We diligently monitor the latest security issues. You wouldn’t be reading this now if you didn’t, right?
As security experts, we take for granted that others don’t comprehend what we know to be fact. I am constantly amazed at the lack of interest, knowledge or commitment to information security. Although we are not a c-level executives stressing about how to make a profit in these turbulent times, as budget cuts are becoming reality, we are feeling the pain of the proverbial “tightening of the belt”.
How can we keep security spending on par with threats and exposure? Are we doing our jobs if we can’t prove ROI? How do you provide the proper information to management so they can make better decisions about capital investments? I’d like to hear your war stories. Do you provide metrics, statistics or resort to fear mongering? Use our contact page to let us know.
I look forward to hearing how creative you are getting.
Update: Ben sent in this gem: There is an old saying in the InfoSec world, "Good security is just good systems administration". Whilst this is a limited perspective, as security extends well beyond just the system administration functions of the organisation, it is none-the-less accurate. A more holistic and accurate way of saying it is however, "Good security is just a function of good quality."
Another reader said "Security awareness training and a million dollars here or there is a good investment to preserve the funding pipeline and organizational reputation. To the executives it's less about ROI than protecting image, funding, and cost avoidance with respect to reporting breaches."
In addition, think about centralizing and using your outsourcing budget to save money. There may be wiggle room in that as well as some pretty good metrics.