By Adam Dodge
One of the most difficult tasks any information security practitioner faces is clearly communicating the need for information protect in terms of dollars lost. There are many obstacles that one must overcome depending on the culture of their organization, including false sense of security, truthiness, and false proof. The problem, however, is that many organizations are unwilling to increase budgets unless there is a clear reason to do so. Therefore, many security professionals are in a position where they have a need for increased budgets (or perhaps even obtaining an initial budget) and yet are at a loss for how to communicate this need in a manner the organization can understand.
Of all of the different methods available, none are more controversial then ROSI or Return on Security Investment. There has been much talk about the good/bad/ugly of ROSI already, so there is no need to go into it here. If interested in this topic, any search will return a wealth of resources.
Personally, I tend to avoid ROSI in all but a select few circumstances. The problem with ROSI calculations are that often there is not enough information available to accurately calculate the actual return expected. This problem could be overcome in time since more and more information on incident costs are being calculated, but that is a while off.
I do like to use ROSI when dealing with any security control that allows for automation and the saving of FTE work hours. This type of calculation can go a long way when dealing with management since it shows a direct reduction of cost to the organization based on a specific purchase. However, one standard note of caution. When using ROSI to compute FTE hours saved, one thing that must be avoided is inflating and/or exaggerating the current FTE hours being spent on the task. Nothing will ruin an ROSI argument faster then unrealistic cost figures.
In fact, cost figures do not have to be necessarily false to be unrealisticâ€¦ at least in the eyes of management. Unless an organization has experienced a major monetary loss due to a security incident, talking to management about the fact that each record lost will cost almost $200 to the organization can quickly become unrealistic when dealing with tens of thousands of records. This is a clear case where perception bests reality.
One of my favorite ways to combat the perception vs. reality problem when explaining the costs associated with security problems is to use easy to understand concepts and ideas. (This is an idea that I stoleâ€¦ I mean borrowed from Michael Santarcangelo) The approach Iâ€™ve had the best luck with is one I borrowed from Matthew Dalton of Ohio University that Iâ€™ve nicknamed the Breach-Stamp metric. The setup to this is easy, simply look at the costs to the organization, department, group, etc. for postage if the group were to suffer a breach.
The beauty of the this approach is that it takes something that everyone is familiar with, postage stamps, and shows how even modest breaches can have dramatic financial impact. For example, at $0.41 per stamp, a breach involving 15,000 records equals almost $5,000 in postage stamps for notification letters alone. One great question to ask after explaining this is if the organization, group, department, etc has an extra $5,000 available for postage costs. The added bonus of using something so insignificant as postage is that many individuals view postage as a minor inconvenience and large postage costs can come as a shock that might just help get the point across.
The fact remains that no matter what happens, communicating the cost of not protecting information in dollars lost will likely remain very difficult for most security professionals. However, since such arguments are likely to be the best, if not only, way to obtain necessary budgets, we all must learn how to communicate such costs in a manner that management can understand.