Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Proving Security ROI in Tough Economic Times SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Proving Security ROI in Tough Economic Times

Security is such an integral of our lives as IT professionals.  We constantly fret about how to secure our networks ... to the point of paranoia.  We diligently monitor the latest security issues.  You wouldn’t be reading this now if you didn’t, right?   

As security experts, we take for granted that others don’t comprehend what we know to be fact.  I am constantly amazed at the lack of interest, knowledge or commitment to information security.  Although we are not a c-level executives stressing about how to make a profit in these turbulent times, as budget cuts are becoming reality, we are feeling the pain of the proverbial “tightening of the belt”.   

How can we keep security spending on par with threats and exposure?  Are we doing our jobs if we can’t prove ROI?  How do you provide the proper information to management so they can make better decisions about capital investments?  I’d like to hear your war stories.  Do you provide metrics, statistics or resort to fear mongering?  Use our contact page to let us know.

 I look forward to hearing how creative you are getting.

 Mari     iMarSolutions


Update:  Ben sent in this gem:  There is an old saying in the InfoSec (information security) world, "Good security is just good systems administration". Whilst this is a limited perspective, as security extends well beyond just the system administration functions of the organisation, it is none-the-less accurate. A more holistic and accurate way of saying it is however, "Good security is just a function of good quality."

Another reader said "Security awareness training and a million dollars here or there is a good investment to preserve the funding pipeline and organizational reputation. To the executives it's less about ROI than protecting image, funding, and cost avoidance with respect to reporting breaches." 

In addition, think about centralizing and using your outsourcing budget to save money.  There may be wiggle room in that as well as some pretty good metrics.


Mari Nichols

76 Posts
Dec 21st 2008

Sign Up for Free or Log In to start participating in the conversation!