Many of you might be snickering by now because you don't shareNigriny's idealism about the necessity of an ROSI to sell security tothe CEO and CFO. In fact, it seems you are legion in your resistance.

It's understandable, in a way. As CISO Tina LaCroix of insurancebroker and consultancy Aon points out, "This elusive packaging of theROI formula to validate our existence is one that may take us down anendless path," a path that probably looks to many CSOs like the oneNigriny's put himself on now with patch management.

But, in fact, it's not an endless path, and we're here to suggest notonly that you can use ROSI to sell security internally but that youmust. As good a reason as any for the mandate is this: Economist FrankBernhard's research shows about six cents of every revenue dollar isat risk due to a lack of information security, whereas many companiesspend barely a dime of their IT dollar on security.

"I'm not sure why IT tends to disregard these tools; it's a bitfrustrating to keep hearing you can't do it accurately," says BobJacobson, founder and president of International SecuritySecurity Technology(IST), which handles physical and logical security risk assessment."It's not true. The tools are there. Nuclear uses them. Pharma usesthem. The whole world has used ROIROI in security for a long time. [CSOs]have an opportunity to make a major contribution in theirorganization, if they have the willingness to learn this." Alles zu ROI auf CIO.de Alles zu Security auf CIO.de

None of which is to say ROSI isn't hard work for a security executive;it is. But it's not hard like calculus--plenty of researchers andeconomists have taken care of sigmas and mus and other esotericeconomic math already. It's hard like running a marathon--ROSIrequires legwork, and lots of it.