I’m a few days behind on this, but a few days ago Andy Willingham of the Andy, ITGuy blog and Jack Daniel of the Uncommon Sense Security blog (and as far as I know, not the maker of affordable bourbon) decided that a better way to measure the success of your security program is not return-on-investment (ROI) but rather FOI: failure-on-investment.

It sounds a wee bit tongue-in-cheek, but it isn’t. From Willingham’s blog:

“When it comes to buying, implementing, or doing anything in regards to security the value of the investment is determined by success or failure. Not how much it cost vs. saved. Not how easy it is to deploy or manage. Not how much time it saves, etc…. The real measure is made when it protects or fails to protect.”

They make quite excellent points, but I’m not 100 percent convinced of this. (Though I may be by the time I finish writing this post.)

If you want to operate the kind of security program of the future–that some of the best and brightest security programs have already successfully achieved–then you’ve got to support the business, and you’ve thus got to be more about risk management than you are about straight “security” per se.

Businesses are willing to accept some risk (how much, of course, depends on what sort of business you’re in). They’re willing to accept some attacks and some breaches as long as the fallout doesn’t cost more than the security does. This is why data breach notification laws and data security regulations are trying to make data breaches more costly and more generally uncomfortable for businesses–to make better security worth the investment.

Let’s say you lose a laptop containing PII, and that laptop was secured with whole-disk encryption. The business might not care so much if the whole-disk encryption actually works and successfully prevents the thief from accessing the data (though it probably will). They might care more that whole-disk encryption is one of those get-out-of-jail free cards that keeps them out of trouble with PCI and data breach notification laws. So, in this case at least, return-on-investment is a more applicable measurement than failure-on-investment.

Isn’t it? I’m not sure. I’m not 100 % convinced that I’m not 100% convinced in this failure-on-investment thing. Love to hear your thoughts…

Posted in: Uncategorized.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a reply, or trackback from your own site.