With respect, the cost to repairing a server from a virus attack is not an
affective metric that will get most senior managers attention. You should
always tie back information security to the business. Almost every company
in the world (with very few exceptions) are in the business of making money
and not in the business of running a secure environment. Put another way
they are in the business of running an environment that is secure enough to
do business. The financial cost due to lost productivity or due to loss of
critical business data will almost always far outweigh the cost of a
relatively low paid system admin repairing a host. Senior executives will
also relate to wasting time due to IT issues and annoyances of not being
able to get to their saved copy of that great Forbes article "Top Ten Global
Golf Courses to Do Business On".
IMHO ROI from security is widely touted by salesmen who think they can
somehow prove to someone that they can save money by lining their pockets in
exchange for a silver bullet. In reality unless they understand the detailed
financials of a company and how it makes money it is generally bs.
Quantitative risk assessment is usually based on assumptions that make it
meaningless.
The value of an info sec to most companies is that it lets them get on with
what they care about. Making money.
-----Original Message-----
From: Ruiz, Rolando [mailto:rolando_ruiz@jetaviation.com]
Sent: Tuesday, April 04, 2006 11:49 AM
To: Crayola; security-management@securityfocus.com
Subject: RE: Reports for Exec Management
Mike,
I don't know if this will help but, what I do is provide the number of
attacks blocked and analyze that by providing information on one. If you
provide the cost of fixing problems caused by one attack (man hours,
downtime, customer and user impact, etc...) you will be able to show them
that you are in fact saving the company money. This is your Return on
investment ROI which they love to hear. What you are looking to do is prove
how you are not wasting their money, but instead saving them money.
Example, if a virus is successful; calculate how the impact of affected
servers and computers would cost money to repair. Then calculate that cost
times the number of attacks you've prevented (you must be able to prove that
you prevented them) and compare that against the cost of any IDS systems and
implementations your security team has done.
Hope this helps.
Regards,
Rolando Ruiz
Information Technology
-----Original Message-----
From: Crayola [mailto:crayola@optonline.net]
Sent: Monday, April 03, 2006 11:36 PM
To: security-management@securityfocus.com
Subject: Reports for Exec Management
I need to begin putting together monthly reports for
executive management (CEO) that show the value that the Information
Security department is providing to the company. The execs know what we
do, my senior mgmt feels we need to broadcast the value Infosec provides.
I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare
them needlessly. How can I show value without being alarmist? If I say that
we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.
What do ya'll provide to your execs? Its tough to show the value of what you
do when that value consists of potentially making something not happen
(security incident).
Thanks,
Mike
