Security Return On Investment (ROI)

Regardless of where I have worked both in consulting / professional services (trying to sell stuff) and as an end user / industry (trying to get funding to buy stuff) security ROI has always been a challenging topic.

Ultimately in seven years in security (not long I know to get this smart) I have only seen one effective reason for any expenditure on security.

That reason is regulation  (and to a lesser degree the audit findings based on regulation). This has always fundamentally bothered me and in fact I left the financial services industry recently was just to start making different business cases / PowerPoint decks (which would still get ignored by executive management). This is because, quite rightly, very smart and rich business people do not want to spend any money on anything that will not make them more money or save them actual costs (not a % chance of saving a % chance of a possibly X cost).

The regulation business case has bothered me because I believe that that role of government and regulation is to correct market failures i.e. provide goods that provide a positive social externalities over and above the negative effect of the taxes required to fund them (e.g. health, welfare, police, education, national security) and reduce incentives for negative social externalities (e.g. drugs, fossil fuels, alcohol - all which are either illegal or taxed heavily).

Does security really fall into these categories? An argument for this is especially clear where large amounts of personally identifiable information (PII), health information, credit card information, financial results before public announcement is concerned. Here there is an argument that the cost to the company of not protecting this information adequately (even at the cost of going bankrupt) is less than the damage to broader society when large amounts of this information is stolen/lost etc. Of course this also means that regulation should only apply to companies and organisations that store, handle, process or transmit a material quantity (e.g. over 1 million records) of these information asset categories. Allowing companies and the market to efficiently allocate security investment in other areas (e.g. company intellectual property, customer information, new products and promotions).

Unfortunately for society and businesses (but fortunately for us in the industry) in general regulation does not make this distinction (clearly HIPPA, PCI DSS etc does but SoX to a degree, general company's law, Office of the Currency Controller in the US etc does not). There is a lot of Fear, Uncertainty and Doubt (FUD) used by both security solution companies and internal security teams based on real or conveniently used related regulation to justify both the existence and expansion of security teams as well an investment in security technology and processes.

I believe the root cause of this due to our inability to accurately calculate security risk and thus make the cost benefit decision an educated guess if not black and white. This is due to two key reasons:
  • I am a firm believer in Nassim Taleb and his hypothesis that in non physical areas (e.g. height, weight etc), where power laws live (e.g. stock market prices, wealth distribution, security risks) human beings are yet to work out an accurate method of consistently predicting future results based on past and current information. This is not necessarily an indictment on us, we have only truly been working on it for 40-60 years, and we will improve and may even get there to a material degree some day.
  • Unlike in insurance and credit risk (although see how well that worked out with the global financial crisis in 2008) in security we lack sufficiently accurate data to be able to calculate likelihood and impact. Projects recently started such as datalossdb, web app sec incidents database, which two I am aware of (would love to hear of more) we are getting more of this information. Of course there are number of limitations to quality of this information, primarily being:
    • they are based on publicly available information based on an increasing set of laws requiring especially data loss reporting. The security industry currently lacks what Credit Risk has had for years which is a centralized public database that every bank has to report to of credit losses, bankruptcies etc. I believe eventually we will get this with regulation or the the market will incentivise a Bloomberg equivelent to gather and sell it. For example the Verizon Data Breech reports are an excellent start to this and contains non public information where Verizon has been called into investigate. It is really interesting that the datalossdb figures contradict a big possible FUD in the security industry that insiders are more dangerous than external attackers.
    • security incident management is a really weak area in many companies. We have not got to a state of even the DR/BCP teams (although they had 9/11) of needing to have a clear response plan which is practised at least annually, consistent systems to record and measure incidents and clear metrics. Therefore even the publicly known information is only what the company is aware of (i.e. when the loss materializes aka TJ Maxx which could be a number of years after the start of the incident) and even then with no systems to calculate the true impact especially considering that the true impact on reputation, brand, customer retention etc may not be known for a number of years. Therefore we are stuck with rules of thumb and worse yet surveys and "expert opinions" (Hi Mr CIO/CISO please come to my conference/event and tell us about what you think the most important security risks are and what you are going to spend your non zero based budget this year even though you have no solid data to base that on. You must know what is right, because you stuck around long enough to get promoted to CIO/CISO)
So what should you do? For companies that store and process large quantities of PII, card holder data, customer lists, trade secrets etc spend as much money as you can to protect this information as close to the information as or if you can't protect the systems and infrastructure that handle this data. Or better yet transfer this risk to companies like the payment providers and just don't hold high value data like card-holder information.

For companies that don't have sufficient quantity of this information, don't spend any money on security, fire your security team and simply rely on security controls that come default in most products (e.g. username and passwords, Anti-virus, personal firewalls) and buy cyber/security insurance and transfer financial risk at least. Have a standard LTD company with no personal liability, if the worst happens declare bankruptcy and start again. Spend your money on anything that makes you more revenue or cuts an actual cost. In an insane world it is the only rational thing to do.

This is what should happen, what will actually continue to happen (and thank god for that):
  • Poorly thought out regulation, made up regulation and FUD will continue to drive expenditure on security
  • Influence, politics and favours will have disproportionate impact on investment decisions
  • Lunches, sports boxes, drinks and strippers on senior management will be money well spent


  1. From Shashi S (recieved via email):
    As with physical security threats, you may be able to identify what is a likely or unlikely threat (in those non-numerical terms), but the bus case ultimately rests with the potential likely impact of not taking action. i.e. don’t build better sec for internet banking? Impact is big personal losses to customers, loss of reputation, loss of brand image, etc. Impossible at this stage to quantify.

    The bus case behind the bus case, as always, is about how well you can actually sell these potential impacts without appearing to jump at shadows. This require factual reference points in the past (read: similar incidents in the past) that you can hang your PowerPoint on.

    Fundamentally not a great system, means that the entire industry will always be reactive... but that’s business.

  2. From Greg H (received via email):

    Nice write-up on RoSI.

    The only way to get any bank to open wallets is to raise the regulatory/audit spectre.

    It's providing the funding for the 3 projects I'm currently driving @ at present.



Written by