Agreed. Security ROI is the Holy Grail, and I don't see it coming anytime
soon. I have yet to see an ROI formula that isn't pure smoke & mirrors,
and security vendors have lost credibility bluffing with that hand.
However, it can be a challenge explaining information security in business
terms.
Security has to be viewed as a business enabler for executives to see any
real value in it. They have to realize, for example, that customers want
to trust their personal information is safe before buying your product,
investing with your brokerage, going to your hospital, etc. This often
means publicly stating your commitment to such measures (anyone who thinks
it's dangerous to tout strong security, on the grounds that they will
become a target for attack, is either misinformed or not very good at
security).
Secure thinking should permeate the entire organization to be truly
effective, and ultimately inexpensive. It should be among the first
considerations in every action, reaction and decision about new products,
business practices, procedures, technologies, etc. It cannot be a
band-aid, or an afterthought. Organizations who don't embrace this concept
will not survive.
How many of us have avoided purchasing something on-line, or even changed
banks, due to security concerns? Everyone on this list has a good
understanding of this stuff, but the average person doesn't know what to
look for. Upper management have to be educated before they can make
informed decisions, and that goes a long way when budgets are being set.
- Rich
"Mark Curphey" <mark@curphey.com>
04/05/2006 08:42 AM
To
"'Ruiz, Rolando'" <rolando_ruiz@jetaviation.com>, "'Crayola'"
<crayola@optonline.net>, <security-management@securityfocus.com>
cc
Subject
RE: Reports for Exec Management
With respect, the cost to repairing a server from a virus attack is not an
affective metric that will get most senior managers attention. You should
always tie back information security to the business. Almost every company
in the world (with very few exceptions) are in the business of making
money
and not in the business of running a secure environment. Put another way
they are in the business of running an environment that is secure enough
to
do business. The financial cost due to lost productivity or due to loss of
critical business data will almost always far outweigh the cost of a
relatively low paid system admin repairing a host. Senior executives will
also relate to wasting time due to IT issues and annoyances of not being
able to get to their saved copy of that great Forbes article "Top Ten
Global
Golf Courses to Do Business On".
IMHO ROI from security is widely touted by salesmen who think they can
somehow prove to someone that they can save money by lining their pockets
in
exchange for a silver bullet. In reality unless they understand the
detailed
financials of a company and how it makes money it is generally bs.
Quantitative risk assessment is usually based on assumptions that make it
meaningless.
The value of an info sec to most companies is that it lets them get on
with
what they care about. Making money.
-----Original Message-----
From: Ruiz, Rolando [mailto:rolando_ruiz@jetaviation.com]
Sent: Tuesday, April 04, 2006 11:49 AM
To: Crayola; security-management@securityfocus.com
Subject: RE: Reports for Exec Management
Mike,
I don't know if this will help but, what I do is provide the number of
attacks blocked and analyze that by providing information on one. If you
provide the cost of fixing problems caused by one attack (man hours,
downtime, customer and user impact, etc...) you will be able to show them
that you are in fact saving the company money. This is your Return on
investment ROI which they love to hear. What you are looking to do is
prove
how you are not wasting their money, but instead saving them money.
Example, if a virus is successful; calculate how the impact of affected
servers and computers would cost money to repair. Then calculate that cost
times the number of attacks you've prevented (you must be able to prove
that
you prevented them) and compare that against the cost of any IDS systems
and
implementations your security team has done.
Hope this helps.
Regards,
Rolando Ruiz
Information Technology
-----Original Message-----
From: Crayola [mailto:crayola@optonline.net]
Sent: Monday, April 03, 2006 11:36 PM
To: security-management@securityfocus.com
Subject: Reports for Exec Management
I need to begin putting together monthly reports for
executive management (CEO) that show the value that the Information
Security department is providing to the company. The execs know what we
do, my senior mgmt feels we need to broadcast the value Infosec provides.
I know a couple things about exec reports.. keep them short (one page),
never propose a need without an answer, and huge IDS numbers will scare
them needlessly. How can I show value without being alarmist? If I say
that
we
successfully blocked over 1.5 million attacks last month they'll have a
heart attack.
What do ya'll provide to your execs? Its tough to show the value of what
you
do when that value consists of potentially making something not happen
(security incident).
Thanks,
Mike
