It seems that blog topics are cyclical and raise their head every few months. A couple of the hot ones are full disclosure and ROI both of which have reared their ugly heads lately. ROI has been on the front pages again in the last few days and it seems that as usual we can't agree on whether or not there is such a thing as security ROI. The purist say that it doesn't exist because it doesn't meet the "true" definition of ROI. The "revisionist" say that there is ROI on security but you have to measure it differently. Yada, yada, yada, the debate goes on and on..............zzzzzzzzzzzzzzz.
Yesterday it hit Twitter and several people jumped in and commented but one that really struck me came from my friend Jack Daniel. He said that the true measure of security is failure or as the new buzz word says "Security Fail". That hit a cord with me and I have to agree 100%. That is the true measure of security whether it be a device, application, or program. If you fail you lose. So Jack and I coined the new term FOI, Failure of Investment. When it comes to buying, implementing, or doing anything in regards to security the value of the investment is determined by success or failure. Not how much it cost vs. saved. Not how easy it is to deploy or manage. Not how much time it saves, etc.... The real measure is made when it protects or fails to protect.
It may be that it does a great job of protecting most of the time but the one failure may be it's (or your) demise. Now we have to define failure though. In my mind failure doesn't come because a new flaw was discovered in your AV, firewall, IDS/IPS, or other security device or app. It comes when that flaw isn't managed properly by either the vendor or your team. If the vendor fails to respond properly and the vulnerability is exploited then they fail. If they do respond properly and you fail to implement the fix or if you fail to look for and implement other measures to protect yourself during the vulnerability window then you fail.
As we all know failure can be fatal to your job. So it's in our best interest to quit debating and trying to define Security ROI and to focus on preventing FOI.