Showing posts with label roi. Show all posts
Showing posts with label roi. Show all posts

Friday, July 20, 2007

Glutton for ROI Punishment

My previous posts No ROI? No Problem and Security ROI Revisited have been smash hits. The emphasis here is on "smash." At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk for being branded a glutton for ROI punishment, I present one final scenario to convey my thoughts on this topic. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may be some room for common ground. I am only concerned with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Truth as well as we humans can perceive it. With that, once more unto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach.

It's 1992. Happy Corp. is a collaborative advertisement writing company. A team of writers develop advertisement scripts for TV. Writers exchange ideas and such via hard copy before finalizing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir product. Using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se methods cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company creates an average of 100 advertisement scripts per month, selling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for $1,000 each or a total of $100,000 per month.

Happy's IT group proposes Project A. Project A will cost $10,000 to deploy and $1,000 per month to sustain. Project A will provide Happy with email accounts for all writers. As a result of implementing Project A, Happy now creates an average of 120 scripts per month. The extra income from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se scripts results in recouping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deployment cost of Project A rapidly, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 additional 20 scripts per month is almost all profit (minus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new $1,000 per month charge for email).

Now it's 1993, and Happy Corp. faces a menace -- spam. Reviewing and deleting spam emails lowers Happy's productivity by wasting writer time. Instead of creating 120 scripts per month, Happy's writers can only produce 110 scripts per month.

Happy's security group proposes Project B. Project B will cost $10,000 to deploy and $1,000 per month to sustain. (Project B does not replace Project A.) Project B will filter Happy's email to eliminate spam. As a result of implementing Project B, Happy returns to creating an average of 120 scripts per month. Profits have increased but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not return to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level enjoyed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pre-spam days, due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sustainment cost of Project B.

I would say Project A provides a true return on investment. I would say Project B avoids loss, specifically cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 productivity lost by wasting time deleting spam.

I could see how ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs could make an argument that Project B is a productivity booster, since it does return productivity to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 levels seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pre-spam days. That is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common ground I hope to achieve with this explanation. I do not consider that a true productivity gain because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 productivity is created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email system Project A, but I can accept ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs see this differently.

I think this example addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 single biggest problem I have seen in so-called "security ROI" proposals: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 failure to tie cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proposed security project to a revenue-generating business venture. In short, security for "security's sake" cannot be justified.

In my scenario I am specifically stating that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is losing revenue of 10 scripts per month because of security concerns, i.e., spam. By spending money on spam filtering, that loss can be avoided. Assuming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall cost of Project B is less than or equivalent to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 revenue of those lost 10 scripts per month, implementing Project B makes financial sense.

What do you think?

Sunday, July 15, 2007

Security ROI Revisited

One of you responded to my No ROI? No Problem post with this question:

Just read your ROI blog, which I found very interesting. ROI is something I've always tried to put my finger on, and you present an interesting approach. Question: Is it not possible to 'make' money with security, or does it still come down to savings? Example:

- A hospital implements a security system that allows doctors to access patient data from anywhere. Now, instead of doing 10 patients a day cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can do (and charge) 13 patients a day.

I'm not trying to sharp shoot you in anyway, I'm just trying to better understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 economics.


This is an excellent question. This is exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same concept as I stated in my August 2006 post Real Technology ROI. In this case, doctors are more productive at accessing patient data by virtue of a remote access technology. This is like installing radios for faster dispatch in taxis. In both cases security is not causing a productivity gain but security can be reasonably expected as a property of a properly designed technology. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote access technology that provides a productivity gain, and doctors should expect that remote access to be "secure." In a taxi, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 radio technology provides a productivity gain, and drivers should expect that system to be "secure."

I'm sure that's not enough to convince some of you out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. My point is you must identify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 activity that increases productivity -- and security will not be it. Don't believe me? Imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote access technology is a marvel of security. It has strong encryption, authorization, aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication, accountability, endpoint control, whatever you could possibly imagine to preserve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIA triad. Now consider what happens if, for some reason, doctors are less productive using this system. How could that happen? The system is secure! Maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 doctors all decide to spend tons more time looking at patient records so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "throughput" declines. Who knows -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point is that security had nothing to do with this result; it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business activity that increases (or in this example, decreases) that determines ROI.

What does this mean for security projects? They still don't have ROI. However, and this is a source of trouble and opportunities, security projects can be components of productivity enhancing projects that do increase ROI. This is why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chief Technology Officer (CTO) can actually devise ROI for his/her projects. As a security person, you would probably have more success in budget meetings if you can tie your initiatives to ROI-producing CTO projects.

Wait a minute, some of you are saying. How about this example: if a consumer can choose between two products (one that is "secure" and one that is not), won't choosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "secure" model mean that security has a ROI, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company selling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secure version might beat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 competition? In this case, remember that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consumer is not buying security; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consumer is buying whatever a product that performs some desired function, and security is an "enabler" (to use a popular term). If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two products are functionally equivalent and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same price, buying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "secure" version is a no-brainer because, even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk is exceptionally small, "protecting" against that risk is cost free. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "secure" version is more expensive, now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consumer has to remember his/her CISSP stuff, like Annualized Rate of Occurrence (ARO) and Single Loss Expectancy (SLE) to devise an Annual Loss Expectancy (ALE), where

ARO * SLE = ALE

You cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n compare your ALE to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost differential and decide if it's worth paying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extra amount for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "secure" product.

For those of you who still resist me, it's as simple as this: security is almost always concerned with stopping bad events. When you stop a bad event, you avoid a loss. Loss avoidance means savings, but no business can stay in business purely by saving money. If you don't understand that you will never be able to understand anything else about this subject. You should also not run a business.

The reason why you should pursue projects that save money is that those projects free resources to be diverted to projects with real ROI. Those of you who have studied some economics may see I am getting close to Frédéric Bastiat's Broken Window fallacy, briefly described by Russell Roberts thus:

Bastiat used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 example of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 a broken window. Repairing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window stimulates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 glazier’s pocketbook. But unseen is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss of whatever would have been done with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money instead of replacing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window. Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one who lost cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 window would have bought a pair of shoes. Or invested it in a new business. Or merely enjoyed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 peace of mind that comes from having cash on hand.

Spending money on security breaches is repairing a broken window. Spending money to prevent security breaches is like hiring a guard to try to prevent a broken window. In eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case, it would have been more productive to be able to invest eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r amount of money, and a wise investment would have had a positive ROI. This is why we do not spend time breaking and repairing windows for a living in rich economies.

However, like all my posts on this subject, I am not trying to argue against security. I am a security person, obviously. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, I am arguing against those who warp security to fit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own agenda or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 distorted worldview of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir management.

For an alternative way to talk to management about security, I recommend returning to my post Risk-Based Security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Emperor's New Clocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365s where I cite Donn Parker.

Saturday, July 14, 2007

No ROI? No Problem

I continue to be surprised by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 confusion surrounding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term Return on Investment (ROI). The Wikipedia entry for Rate of Return treats ROI as a synonym, so it's a good place to go if you want to understand ROI as anyone who's taken introductory corporate finance understands it.

In its simplest form, ROI is a mechanism used to choose projects. For example, assume you have $1000 in assets to allocate to one of three projects, all of which have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time period and risk.

  1. Invest $1000. Project yields $900 (-10% ROI)

  2. Invest $1000. Project yields $1000 (0% ROI)

  3. Invest $1000. Project yields $1100 (10% ROI)


Clearly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business should pursue project 3.

Businesspeople make decisions using this sort of mindset. I am no stranger to this world. Consider this example from my consulting past, where I have to choose which engagement to accept for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next week.

  1. Spend $1000 on travel, meals, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r expenses. Project pays $900 (-10% ROI)

  2. Spend $1000 on travel, meals, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r expenses. Project pays $1000 (0% ROI)

  3. Spend $1000 on travel, meals, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r expenses. Project pays $1100 (10% ROI)


Obviously this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same example as before, but using a real-world scenario.

The problem cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "return on security investment" (ROSI) crowd has is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y equate savings with return. The key principle to understand is that wealth preservation (saving) is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as wealth creation (return).

Assume I am required to obtain a license to perform consulting. If I buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license before 1 January it costs $500. If I don't meet that deadline cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license costs $1000. Therefore, if I buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license before 1 January, I have avoided a $500 loss. I have not earned $500 as a result of this "project." I am not $500 richer. I essentially bought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license "on sale" compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post-1 January price.

Does this mean buying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license before 1 January is a dumb idea because I am not any richer? Of course not! It's a smart idea to avoid losses when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of avoiding that loss is equal to or less than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset being protected.

For example, what if I had to pay $600 to get a plane ticket from a far-away location to appear in person in my county to buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 license before 1 January? In that case, I should just pay cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $1000 license fee later. For a $500 plane ticket, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome doesn't matter eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way. For a $400 plane ticket, I should fly and appear in person. Again, in none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se situations am I actually richer. No wealth is being created, only preserved. There is no ROI, only potential savings.

What if I chose to avoid paying for a license altogecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, hoping no one catches me? I've saved even more money -- $500 compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pre-1 January price, and $1000 compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post-1 January price. This is where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation becomes more interesting, and this is where subjectivity usually enters cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 picture concerning expected outcomes.

Let's get back to ROI. The major problem cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ROSI crowd has is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are trying to speak cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 language of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir managers who select projects based on ROI. There is no problem with selecting projects based on ROI, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project is a wealth creation project and not a wealth preservation project.

Security managers should be unafraid to avoid using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term ROI, and instead say "My project will cost $1,000 but save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company $10,000." Saving money / wealth preservation / loss avoidance is good.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problem most security managers will encounter is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir inability to definitively say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir project will indeed save a certain amount of money. This is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case for licensing deals, e.g., "Switching from Vendor X's SSL VPN to Vendor Y's SSL VPN will save $10,000" because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome is certain, breach of contract nonwithstanding. Certainty or even approximate probability is a huge hurdle for many security projects because of several factors:

  1. Asset value is often undetermined; in some cases, assets cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves are not even inventoried

  2. Vulnerabilities in assets are unknown, because new flaws are discovered every day

  3. The threat cannot be properly assessed, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are unpredictable and creative


As a result, risk assessment is largely guesswork. Guesswork means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 savings can be just about anything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security manager chooses to report.

If you look at my older posts on return on security investment you'll see some more advice on how to make your case for security spending without using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "ROI".

It should be clear by now that ROSI or security ROI is nothing more than warping a defined business term to get attention during budget meetings. I saw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact same problem in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force. At one point those who flew combat missions were called "operators." Once Information Operations came into vogue, that community wanted to be called "operators" too. At one point a directive came down that intel folks like me were now "operators," just like combat pilots. That lasted about 10 minutes, because suddenly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 combat pilots started using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "trigger-pullers." "Fine," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y thought. "Call yourselves operators. We pull triggers." Back to square one.

The bottom line is that security saves money; it does not create money.

Tuesday, June 12, 2007

One for Ken Belva

I mentioned Ken Belva's thoughts in Thoughts on Virtual Trust last year. If you don't know Ken's thoughts on "virtual trust" please read that post before continuing furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. I refrained from pointing a finger at Ken's Apple DRM example after Steve Jobs posted his Thoughts on Music, where DRM won't apply to Apple music (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby depriving Ken of one of his case studies and questioning his logic).

Now I'd really like an answer to this article: Retailers Fuming Over Card Data Security Rules; Claim PCI standard shifts burden to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, could alienate customers. Here are a few excerpts:

Several retailers last week bristled at having to comply with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry (PCI) Data Security Standard, complaining that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y carry an unfair burden in securing credit card data.

In interviews and speeches at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 annual ERIexchange conference here, retail executives also complained that implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCI standard is costly and could alienate customers...

Robert Fort, director of IT at Virgin Entertainment Group Inc. in Los Angeles... contended that meeting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirements doesn’t boost a retailer’s bottom line. “There’s no direct return on investment,” he said. “It will not help us sell CDs.”
(emphasis added)

Ken -- what do you think about that? I would respond to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor by saying customers who can't trust vendors won't give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir business. I might also use an argument that says vendors could be held liable for negligence. Those are two thoughts.

Saturday, October 07, 2006

Security Is Not Refrigeration

Analogies are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to make an argument, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y help when debating abstract concepts like "virtual trust".

Consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 west coast couldn't sell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir goods to consumers on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 east coast. Refrigeration opened new markets and keeps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m open.

However, refrigeration is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business. Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing and selling food does. (Refrigeration is only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business for those that sell refrigerated train cars and supporting devices.)

You might think "security" is like refrigeration. Like refrigeration, security could be said to "enable" business. Like refrigeration, security does not generate value; selling a product or service through a "secure" channel does.

So why is "security" really not refrigeration? The enemy of refrigeration is heat. Heat is an aspect of nature. Heat is not intelligent. Heat does not adapt to overcome cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 refrigeration technology deployed against it. Heat does not choose its targets. One cannot deter or jail or kill heat.

The enemy of "security" is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intruder. The intruder is a threat, meaning a party with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capabilities and intentions to exploit a vulnerability in an asset. Threats are intelligent, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y adapt, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y persist, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y choose, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y react to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir environment. In fact, an environment which on Monday seems perfectly "secure" can be absolutely compromised on Wednesday by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 release of an exploit in response to Tuesday's Microsoft vulnerability announcements.

Returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of "enablement" -- honestly, who cares? I'll name some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r functions that enable business -- lawyers, human resources, facility staff. The bottom line is that "virtual trust" is an attempt to "align" (great CISO term) security with "business objectives," just as IT is trying to "align" with business objectives. The reason "IT alignment" has a chance to succeed in creating real business value is that IT is becoming, in itself, a vendor of goods and services. Unless a business is actually selling security -- like a MSSP -- security does not generate value.

Why is anyone even bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring to debate this? The answer is money. If your work is viewed as a "cost center," cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ultimate goal is to remove your budget and fire you. If you're seen as an "enabler," you're at least seen as being relevant. If you can spin "enablement" into "revenue generation," that's even better! Spend $X on security and get $Y in return on investment! Unfortunately that is not possible.

Finally, I don't think anyone would consider me "anti-security." I'm not arguing that security is irrelevant. In fact, without security a business can be absolutely destroyed. However, you won't find me saying that security makes anyone money. Some argue that spending money on security prevents greater loss down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line, perhaps by containing an intrusion before it avalanches into an immense compromise. That's still loss prevention. Of course security "enables" business, but enablement doesn't generate revenue; it supports a revenue-generating product or service.

This is probably my last word on this in a while. I need to turn back to my own business!

Wednesday, October 04, 2006

Thoughts on Virtual Trust

I've said before that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no return on security investment (ROSI). This argument appears to have morphed again in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form of a paper titled Creating Business Through Virtual Trust. A Technorati search will show you ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r comments on this idea. These are mine.

First, I agree with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who say "virtual trust" should not be "virtual" -- it's eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r "trust" or it's not. That's not a major point though.

Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365sis for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper appears to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following, as shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 abstract.

Business is concerned with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of new entities and assets that generate cash. Information security, by contrast, is traditionally concerned with protecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se entities and assets. In this paper we examine a perspective which currently exists but is largely dormant in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security field. We maintain that information security can be actively involved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 creation of business and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skills required to create commercial activity must be added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security professional's intellectual tool set. We also present evidence to demonstrate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability of security to create business, which we designate by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "virtual trust", may become a dominant paradigm for how to think about information security.

The authors provide this example:

Apple' iTunes employed Digital Rights Management (DRM) technologies to create a new product and, hence, a new revenue stream. Over 1 billion songs have been downloaded from iTunes. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of iTunes, DRM works by restricting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of CPUs on which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .mp3 will play. The songs are also stored in a proprietary, encrypted format. These two factors, at minimum, erect a prohibitive barrier and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 likelihood that an end user will trade songs. The various security mechanisms used by Apple's iTunes DRM created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Virtual Trust necessary to persuade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 music industry that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir rights will be protected digitally and be profitable.

I see nothing wrong with this statement. However, security is not making money in this example -- iTunes sales are making money. Imagine a world without DRM. Someone buys a song, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n gives it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir friends. Apple and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 music companies believe those extra copies are lost sales. What have we returned to? That's right -- a loss prevention model.

"Virtual Trust" is just anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r name for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Road House security model. Security is not making money for anyone in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bar Patrick Swayze patrols. Alcohol and food sales are making money.

Security may be a necessary condition for sales and a thousand ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r activities, but it doesn't make any money. Imagine this exchange between executives:

SecGuy: "Hey boss, I have a great idea for enabling business through virtual trust."

Boss: "What is it?"

SecGuy: "I'm going to secure a business initiative that will make millions!"

Boss: "What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initiative?"

SecGuy: "Hmm, I don't know. But whatever it is I will secure it and enable business through virtual trust!"

Boss: "Sigh."

You can watch one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors of this paper post his thoughts on his blog.

Thursday, September 07, 2006

Mike Rothman Is Right

Mike Rothman is right:

I'm here at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Standard conference and I'm seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pendulum starting to swing back. What pendulum? The pendulum that swings like a metronome between security as a defense and security as an enabler...

I'll make it very very clear. Security is not a business enabler. It is a cost of doing business. You cannot do new things because of security. You do open up new revenue streams and add value to customers via new applications that reflect new (or updated) business processes. It may be ill advised to put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new business processes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web without adequate security, but you CAN do it.


In extreme cases of incredible negligence or outright stupidity, a business may deploy an exceptionally insecure application or business process that must be shut down due to overwhelming fraud and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft. Barring those circumstances, however, I agree that businesses are willing to "put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se new business processes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web without adequate security" and suck up some level of "acceptable loss."

Richard Stiennon agrees:

My perspective is that treating IT security like a business process is like treating a tactical military strike force as a business. While maintaining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability of military forces could be a process open for improvement by applying some business discipline, actually fighting battles and overcoming opposing forces does not have much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "business process" about it. Security is much more akin to fighting a battle than it is to "aligning business objectives".

Hopefully someone at this conference will address security as a cost, like insurance or legal teams.

Saturday, August 19, 2006

No ROI for Security or Legal

Last night I watched a Dateline NBC story about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fast food industry's defense against lawsuits alleging cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products cause obesity. This reminded me that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se corporate legal teams are similar to corporate security teams. No one is going to increase funding for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir legal department and see improved productivity or higher profits. Yet, legal is still a necessary requirement for doing business -- especially for staying in business.

You may remember this earlier comment:

Marcus [Ranum] said "security ROI is dead" and "legislation has made security a cost." He predicted "we will be competing with legal for money (or working for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next five to ten years." To hammer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point Marcus cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n said "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re never was a security ROI."

I'd enjoy hearing how corporate lawyers justify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir budgets.

Wednesday, August 16, 2006

Security Is Still Loss Avoidance

One of you (who wishes to remain anonymous) sent me a link to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story Value Made Visible in response to my Real Technology ROI post. Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CSO magazine core argument.

[The] Value Protection [Metric] is [Bruce] Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business...

The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($)...

Larson's metric just subtracts cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of security events from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 normal cost of doing business, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n divides by that same operations cost to get a ratio.


I'm sure that's been published somewhere before, or at least something very similar. I'm too lazy to check those CISSP books I never open.

Here are some examples from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same article:

Whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it's based on actual events or potential futures, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Value Protection ratio gives security officers a real metric to present and it gives executives a simple, clean picture of security investments' relative value. Here are three examples of how it could be used by an organization with a normal operations cost (N) of $1 million:

Example 1. A medium-level virus outbreak costs $70,000 across all operations.

VP = (1,000,000 – 70,000) / 1,000,000 = 0.93

Larson calls a 0.9 ratio "exceptional." A Value Protection ratio of 0.93 probably doesn't require more investment or lowering of event impact, especially if trying to increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ratio would take away from investment in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas where Value Protection isn't as strong.

Example 2. An insider fraud attack causes $500,000 in response and recovery costs, lawyers' fees, insurance costs and unrecouped stolen goods.

VP = (1,000,000 – 500,000) / 1,000,000 = 0.5

In rare instances where high risk is tolerable, such as a high-level R&D project, protecting half cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of an investment might be acceptable. But in most cases, value protection of 0.5 is "usually pretty bad," Larson says. And that makes sense: It means your security is a 50/50 proposition.

Example 3. A network vulnerability leads to customers' personal data being stolen, resulting in $1.2 million in damages from response and recovery, lawyers' fees, government fines and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ancillary costs, as well as a significant drop in stock value after negative publicity.

VP = (1,000,000 – 1,200,000) / 1,000,000 = -0.2

Negative ratios are a clear sign that an organization doesn't have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper information security defenses in place, as it means that security events have or potentially will cost more than operations is spending to stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Immediate steps should be taken to fortify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security controls.


Ok, this is all very interesting. However, it doesn't change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that security is still loss avoidance. Mr. Larson is not calculating any return on security investment. His American Water company is not any more productive, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 absence of threats, when he spends money on security.

When threats are present, security helps American Water serve its customers. American Water can't serve any more customers because of security.

One last excerpt: This "VP" is eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r being nice or he doesn't understand business very well:

"It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric.

Sorry Mr Schmitt, but your American Water operations create value. Security spending helps avoid loss of that value.

This is not to say that I oppose security spending. How could I -- I am a security professional! However, I also recognize that security is like insurance. You cannot buy insurance and as a result have your business be more productive or profitable.

Tuesday, August 15, 2006

Real Technology ROI

I recently reiterated that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no ROI for security (except for Road House). This is obviously not true for all technology. While traveling recently I saw technology with real ROI in a taxi. Think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect of deploying radios in taxis. Before this invention, cabs relied on getting assignments through a central dispatcher at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir home station. Sure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could be flagged down by a passer-by, but ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y returned to base for a new job.

Now spend a little money to install radios in everyone's cab. Suddenly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cab that would previously have to return to home base to get a new assignment can be dynamically re-tasked to a waiting passenger nearby. A cab that only ran two dozen passengers per shift can accommodate double that number, hardly ever returning back to base. That's called an increase in productivity -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of real economic growth -- and real ROI.

Staying with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 taxi scenario, you may have heard of technology to avoid collisions. You might think "That has real ROI. Install cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collision avoidance system and suffer fewer crashes. Fewer crashes mean lower insurance premiums and fewer payment of deductibles when getting repairs." It sounds like ROI, but it's not -- it's loss avoidance. You are not becoming any more productive; you're avoiding a cost. That's what security spending is -- loss avoidance.

Wednesday, August 09, 2006

Notes from SC Magazine

The July 2006 SC Magazine features some blogworthy stories. From Working for Gold, we see more opinions that calculating security ROI is a waste of time:

In recent years, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 acronym of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day was ROSI — return on security investment. Analysts and security managers alike were struggling to find ways to measure security return on investment (ROI) and offer it up as proof to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bosses and executive boards that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir money was being maximized. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 magic method to do this has never appeared. And some, such as André Gold, Continental Airlines' information security director, doubt it ever will.

"There are a lot of people out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re who want to turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security department into a profit and loss (P&L) entity and I don't think you can do it," Gold says. "I ran our ecommerce environment for almost seven years and it was really easy to do ROI-type of metrics cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. In my opinion you just don't have that in security."

Gold isn't alone. Increasingly, security professionals are dropping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goal of searching for ROI in favor of looking for better ways to communicate how security is making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most of its budget.

"I truly believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no real ROI," says Kevin Mandia, CEO of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security consultant firm Mandiant. "A lot of smart people have sat around trying to think about this for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 10 years and nobody has come up with anything."

All you can do, he says, is detail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proactive things you've done to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company from identified threats, and when those thresholds are breached, discuss how fast you reacted to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Gold's philosophy is that as a risk management division, security is akin to insurance.

"Risk management is, I think, about insurance," he says. "Insurance doesn't have a P&L [profit and loss] associated with it. Insurance is what it is."
(emphasis added)

Bingo. There's nothing more to say, except for my Road House example.

The same issue features What pill can I take for cyber insecurity? by Kevin Mandia of Mandiant, my friend and ex-Foundstone leader. He concludes by saying:

I think most of us agree that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of folks on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planet desire a world where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no "buggy" software, no backdoors, no cyber intruders and no discernable security flaws in our software. It is time to salute smartly and prepare to battle on. Defending America's cyber infrastructure is going to be a lot like trying to cure a complex disease. The oldest known description of human cancer is found in Egyptian papyri written between 3000-1500 bc, and 3,500 years later we still do not have a cure. I expect similar results for cybersecurity. We can treat cyber insecurity, we can survive it, but we must learn to live with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re may not be a cure.

Kevin is right, although I am hopeful cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will indeed be a cure for cancer one day. I like to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue in this light, though. We have been building homes for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same period that Kevin mentions -- even longer. This morning a contractor visited my home to inspect our roof for water leaks. With homes having a multi-thousand-year history, wouldn't you expect to have an absolutely water-proof home by now?

The answer is yes -- if you are willing to pay for it. There are seldom solutions to any problems -- only trade-offs. If you're willing to add $50,000 (?) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of your house, maybe you can have a 100-year roof. That's a price I'm not willing to pay, since this repair will be (only!) $575.

We could approach a similar level with "security" if we were willing to abandon general purpose PCs, operating systems, and applications, wait 10 years, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n operate within an extremely narrow and probably fixed set of features. We'd also have to pay a great deal more.

Wednesday, April 26, 2006

Return on Security Investment

Just today I mentioned that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no such thing as return on security investment (ROSI). I was saying this two years ago. As I was reviewing my notes, I remembered one true case of ROSI: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 film Road House. If you've never seen it, you're in for a treat. It's amazing that this masterpiece is only separated by four years from Swayze's ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r classic, Red Dawn. (Best quote from Red Dawn: A member of an elite paramilitary organization: "Eagle Scouts.")

In Road House, Swayze plays a "cooler" -- a bouncer who cleans up unruly bars. He's hired to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 riff raff from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Double Deuce," a bar so rough cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 band is protected by a chicken wire fence! I personally would have hired Jackie Chan, but that's a story for anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r day. Swayze's character indeed fights his way through a variety of local toughs, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process allowing classier and richer patrons to frequent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Double Deuce. The owner clearly sees a ROSI; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money he pays Swayze is certainly less than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount he now receives from a more upscale establishment.

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re a lesson to be drawn for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security world? Notice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus on threats. The Double Deuce owner didn't hire Swayze to build higher walls or cover windows with iron bars. Instead of addressing vulnerabilities, he sought threat removal. This is not a process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average company can implement; usually law enforcement and intelligence agencies have this power.

I have heard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term "friendly force presence" being used within certain military circles. This seems to refer to keeping assessment teams on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lookout for indications of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary on our networks. This certainly works in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 physical world, but it may be difficult to translate into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virtual one.

One example: when I visited Ottawa recently, I stopped at a McDonald's to get a quick meal. The place was teeming with teenagers, most of whom were just lounging around. I considered leaving because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 place was so full. I saw a manager appear a few minutes after I arrived, and with him came a uniformed police officer. The officer had a word with one or two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 larger teens and suddenly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 restaurant started to empty. Within five minutes hardly anyone was left, and no one under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 age of 18. It was amazing.

Friday, December 17, 2004

Ripping Into ROI

In April I wrote Calculating Security ROI Is a Waste of Time. The latest print issue of Information Security magazine features a story by Anne Saita that confirms my judgement:

"If you find executives resisting your security suggestions, try simply removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 term 'ROI' from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation.

'ROI is no longer effective terminology to use in most security justifications,' says Paul Proctor, Vp of security and risk strategies for META Group. [Paul is also author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excellent book Practical Intrusion Detection, where he correctly said 'cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no such thing as a false positive.']

Executives, he says, interpret ROI as 'quantifiable financial return following investment.' Security professionals view it more like an insurance premium. The C-suite is also wary of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 numbers security ROI calculators crunch.

'Bottom line is that most executives are frustrated and no longer interested in hearing this type of justification,' Proctor says. Instead, express a technology's or program's business value, cost/benefit analysis and risk assessment."

Amen.

Sunday, April 18, 2004

Calculating Security ROI Is a Waste of Time

I was pleased to read Infosec Economics by Lawrence Gordon and Robert Richardson in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1 Apr 04 issue of Network Computing magazine. This duo says:

"ROI (or bang for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buck) can't be applied perfectly to information security because often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can calculate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ROI of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se indirect benefits. But security requires factoring in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expectation of loss."

I've been lucky to have never been tasked with calculating security's "return on investment," because I would have told my supervisor cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer is zero. There is no return to be made on security, because security is a loss avoidance and loss mitigation measure. Security is a way to deal with risk, which is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of loss. (I dealt with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se definitions in Oct 04.)

"Investing" in security is not like investing in a more efficient metal-bending machine or sending an employee to a training class. Donald Trump does not receive any return on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 investment he makes in bodyguards. All he does is provide a means to lessen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 probability of bodily harm. He is not a more efficient businessman as a result of having bodyguards.

Obviously people value security, but it must be balanced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats one faces and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences of loss. Presidential candidates only receive Secret Service protection once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir party's nominee. Private citizens do not usually employ bodyguards. We make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decisions all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time but because digital security is an art with opaque threats, we have trouble choosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appropriate level of security for our networks. Those who perform network security monitoring are more aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se threats than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average CISO. NSM operators possess network awareness, thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of information cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y collect.

Economists have appreciated this fact for years. It looks like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2004 CSI/FBI study will avoid ROI in favor of discussing net present value (NPV) and security as an externality. Stay tuned.