Everything new is old again – ROSI

Return On Investment.  (In security.)
Return On Security Investment.

It doesn’t exist.  But it keeps on coming back from the grave, no matter how many times we try to kill it.

OK, we can say that spending money on security keeps you from losing more money somewhere down the road.  But “investing” in security isn’t going to bring in revenue.  (Well, unless you want to try and estimate the extra business you got from being a “safe” company to do business with.)

We can also try to do quantitative risk assessment or analysis, and therefore be able to do something of a cost/benefit analysis of individual controls.  (Of course, a lot of people have done a “quick and dirty” qualitative cost/benefit analysis, and figured out that the cost of doing a quantitative risk analysis outweighs any possible benefit in terms of the greater accuracy of your cost/benefit analysis.)

Undeterred, now that we are in an economic quagmire, the media has started to spin ROSI as the way to ensure that you get the most out of your security investment.

Columnists love fairy tales …

  • http://www.BeyondSecurity.com Aviram

    “It doesn’t exist. But it keeps on coming back from the grave, no matter how many times we try to kill it.”

    Hear hear!

    I keep getting this request from our sales people – “give me an ROI chart. All the others have one”.

    Although I held strong so far, I have to admit that being the corporate-weasel that I am I can’t promise that I won’t give up one day and have our marketing make one (or rather, make one up). Of course, if that happens I’ll have to remember to come back and delete this comment [should have commented on this one anonymously. Too late].