There’s been some comment discussion in
about security ROI.
Ken Belva’s point is that you can have a security ROI,
to which I have agreed (twice).
Iang says he’s already addressed this topic, in a blog entry
in which he points out that
Calculating ROI is wrong, it should be NPV. If you are not using NPV then you’re out of court, because so much of security investment is future-oriented.Iang’s entry also says that we can’t even really do Net Present Value (NPV) because we have no way to calculate or predict actual costs with any accuracy. He also says that security people need to learn about business, which I’ve also been harping on. I bet if many security people knew what NPV was, they’d be claiming they had it as much as they’re claiming they have ROI.— ROI: security people counting with fingers? Iang, Financial Cryptography, July 20, 2007
My point remains that this whole emphasis on calculation is part of the problem. Security people tend to be engineers, whose whole orientation is to be able to build, fix, and calculate to do so. To quote PricewaterhouseCoopers again:
“But what about those areas, like reputational risk, that are both harder to measure and more sudden and severe in their impact?”Banks and financial institutions that have been dealing with financial risk for centuries are still having some trouble admitting that some risks can’t be prevented, fixed, or even accurately predicted: only mitigated. Increased measurement and better detailed calculation will shift which risks can be handled which way, but there will always be risks that are uncertain, big, and sudden. Both security people and business executives need to get used to dealing with them. Those who don’t, well, their companies will be like U.S. automakers trying to catch up and produce hybrid cars, or like most airlines trying to catch up to Southwest, which spent money to hedge its fuel prices even though it couldn’t predict exactly how much that would save or when.
Risk management isn’t just about calculation. It’s not just about tactics. It’s also about strategy.
-jsq
Proper analysis , management and mitigation of risk is important to minimize uncertain conditions over high contingent risks .