Security's Everyman

Security's Everyman

Tuesday, July 31, 2007

The debate continues

I just tallied the results of my first poll (we actually they were automatically tallied). It looks like the jury is still out on Security ROI. There has been lots of good debate going on lately regarding this and both sides have good points.

The question was "Whether real or perceived, does security provide ROI?"
46% said Yes, it does provide ROI
54% said No, it does not provide ROI

Obviously the No's have it, but the results are fairly close. If I were a statistician and figured in a margin of error of 3 or 4 percent then the results could be much closer.

People much smarter than me have written on this and have sound arguments for their positions but here is the final word (I can say that because it's my poll) :)

In the strictest sense of the term security does not provide ROI but when you look at it in the big picture and take into account things that you can't really measure (and that is what happens in real life business everyday) then yes it can and does provide ROI. Money not spent because a breach didn't happen is a form of ROI. Savings realized because of time saved due to a security measure introduced is a form of ROI.

Now I know that many of you will take issue with this and go back to the "literal" definition of ROI but this world isn't literal when it comes to technology and security. If it was then my guess is that most of us would not be employed in this field because our "literal" inability to completely protect our networks and data 100% of the time would push us out the door. The Information Security field would be reduced to a very small group of people in a "literal" world.


Rob said...

Is there a reason you never post my comments, or are they just lame? :)

Andy, ITGuy said...

Rob, This makes 2 I've posted. I felt bad so I looked through all of my comments and only found one other. Honestly, I post all comments unless they are spam. Positive, negative, good, bad. Even lame ones. :) Keep commenting and I'll post them.

Allen Baranov, CISSP said...


I was on the fence with this vote but you had a comment somewhere about toilet paper being ROI and that got me.

Both InfoSec and Toilet paper are not going to increase your bottom line but you'll be deep in the sh.t without them so I voted "yes".

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.