December 5, 2006

By David Stern

I really dislike ROSI. Return on Security Investment is a cancerous outgrowth of ROI. Bean counters use this metric to determine the effectiveness of a security program. The logic follows this path: invest $100 in security technology, process, or procedure. If the organization cannot quantify more that $100 in savings, then the program is a failure. Bovine excrement!

Network or email server upgrades bring more speed and capacity; a seemingly direct value-add to the business operation. It is extremely rare to see information security “improvements” portrayed in a similar positive light. I am not implying that performance metrics do not apply to information security. I am stating that in most organizations, it is impossible to take this measurement because the implementation is faulty.

Information security functions are almost always attached to some part of the IT organizational tree, a common and dangerous mistake. This structure guarantees that information security functions are purely operational when most security program functions have nothing to do with IT or operations. ISO 27001, the globally accepted framework for an information security program includes legal compliance, personnel management, disaster recovery, awareness training, policy definition, and many other non-IT elements. Imagine a windows group that doesn’t manage Active Directory, or a Networking group that isn’t responsible for the LAN. It would never work. And yet, information security groups are regularly shackled by management who do not fully understand information security. Managing firewall rules and anti-spam protection is not managing information security.

True information security professionals do not share as much in common with other IT functions as would be believed by management. UNIX, networking, application development, windows, and support are critical functions to any business. But none of these technical practitioners have compliance responsibilities, ethical codes, or legal principals as core components of their competency.

You can build a not-so-fast network, or design a not-so-perfect AD infrastructure and it will work. In fact, people might never know. But information security has to be practiced correctly. There are principals and best practices to be followed. “Compensating controls” aren’t shortcuts – they are another approach to getting the job done the right way.

The economics of IT make this argument extremely difficult to present coherently. For this reason, we got ROSI.

ROSI  is the holy grail of information practitioners. If there was a way to clearly demonstrate the business case for a properly funded, comprehensive security program, we could show a return on investment. An ROI means value to the bottom line, and that is what management cares about. The quest to reach ROSI has begot magazine articles, books, seminars, and even products. In a way, it has become a cynical mile marker along the uphill march to push information security. The prevailing view of decision makers, including many information security stakeholders, is that security is not an investment, it is a cost. Billions invested in security people, process, and technology and yet none of it has a business value? Something is missing.

Let’s add it all up. We have Federal and State laws along with industry initiatives such as PCI forcing organizations to recognize information security. We have proven practices and methodologies being executed by certified professionals. We have tools and technologies that cover the gamut of security challenges. How can we turn this veritable treasure trove into an enabler of business?

With nothing more than reorganization and a mandate, the nascent potential of information security can be released. System standards, change control, and security development life cycle influences would force operations to run cleaner and more efficiently. Application security standards would reduce software errors and increase troubleshooting capabilities. Accreditation processes would force teams to design and build architectures according to best practices. All while protecting the organization from the common threats.

The gauntlet has been dropped. The secret is out. Management holds the key to unlocking the incredible potential energy pent up within their organization. To quote John Wayne from the Alamo: “There’s right and there’s wrong. You got a do one or the other. You do the one and you’re living. You do the other and you may be walking around, but you’re dead as a beaver hat.”

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.