Dr. Chuvakin has an interesting post about the ROI of security. This is what he says:

"First, bear with me since I am still trying to build a coherent picture of security ROI for myself from all the diverse sources of info, some as smart as Pete Lindstrom :-) In general, I am leaning towards "there is no ROI for security; there are only cost savings."

I could not agree with him any less. You have a step throat and being concerned about it, you decide to go to a doctor. The doctor treats you and you pay for the service. The doctor tells you that the doctor's service provided you ROI - you were cured in 3 days without  the doctor's service it would have taken 7 days, thus adding 4 additional days for your productivity.

EPD= Your Earning Per Day in $

Your ROI=4*EPD- (Doctor Fees)

Do doctors have to justify ROI for treating you?

Which one would you value most: your cure or your ROI?

Why should security professionals need to demonstrate ROI when they address the ailments/threats for a company's health?

There are about 9 different categories of companies when they are categorized in two dimensions. The dimensions that I have chosen are Security Preparedness along the x-axis and # of Security Breaches along the y-axis.

Lucky - These companies have a low security preparedness, but they have been lucky to have low number of breaches. There is no guarantee that they will continue to stay lucky. It is hard to implement security in such companies because the management has not had a bitter experience of breaches. These are ignorant blissful companies. One big bad incident could push them to the Aware category.

Aware - These companies too have low security preparedness but they have had high number of breaches. Due to the bitter experience of high number of breaches, the management of these companies does understand the importance of security. It is much easier to implement security in "Aware" companies unlike the "Lucky" companies.

Unlucky - I meet unlucky people all the time, no pun intended. These companies have high level of security preparedness, despite that they have had high number of breaches. These are the companies that should spend time doing the post-mortem of the breaches and applying the learning that arises out of the post-mortem to enhance their security posture.

Desirable - These are the companies that have successfully deployed security to minimize the number of breaches. Which company does not want to be here? The goal for the companies in other categories is to consciously move to this category.

Of-course there are other 5 average categories that I did not address, being average does not get much publicity either!

Security is sold to the upper management in many flavors. Couple of compelling models are:

1. ROI savings model - Security is viewed as a Return On Investment in terms of savings it realizes.

2. Insurance policy model - Security is viewed as a risk reducing instrument.

Though both models are equally compelling, I am more inclined toward the insurance policy model. In both cases we need to do the math to arrive at the cost structure of security, more akin to cooking up numbers.

How about a third model where you don't have to cook up numbers? I would like to call it the "core competence model".

Company-A  takes two long years to streamline its processes to implement security checkpoints in order to ensure confidentiality, integrity and availability with  its product offerings.

Company-B is a competitor of Company-A. Company-B will take at the least 2 years to replicate Company-A's security competence. This will not only mean time, it will have cost Company-B in terms of lost opportunities due to lack of security competence. Moreover, it is may be hard for Company-B to replicate the security competence.

Security has become the core competence of Company-A and hence its competitive advantage.