ROI MIT SICHERHEIT

Finally, a Real Return on Security Spending

18.02.2002
Von Scott Berinato

"There was no return on investment in there at all," he adds. "I spent$110,000, and I got, 'You're good.' What's that?"

This is the dilemma that faces CIOs and CSOs everywhere. A lack ofdata on infosecurity makes it difficult to quantify what security getsyou. In lieu of numbers, information executives rely on softROSIsexplanations of returns that are obvious and important butimpossible to verify.

Executives know the threat is real, but CIOs say executives don't feelthe threat. No one buys burglar alarms until someone they know isrobbed. For that reason, IT relies on, more than anything, fear,uncertainty and doubt to sell security - in other words, FUD. Thethinking is, if you scare them, they will spend.

But even FUD has limitations, especially during a recession. The signsof the down economy's impact are everywhere. At Fidelity, the chiefinformation security officer (CISO) position was eliminated. At StateStreet Global Advisors in Boston, CISO Michael Young needs four moresecurity staffers, but there's a hiring freeze. "If we invest inanything that promotes less downtime, that's a positive ROI," Youngsays. "But still, there's no quantified value associated with[staffing], and that's a problem. If I could go in there with a returnon the bottom line resulting from these hires, bingo! That would beit."

To say there's no good ROSI data is not to say there's no data.Numbers are indeed used to sell security; it's just that they've hadzero statistical validity.

Zur Startseite