Folks in the information security marketplace are working on what many are calling the Holy Grail for selling infosec solutions, services and products. Several projects have emerged in the last several months taking aim at finding an acceptable, meaningful methodology for quantifying the return on investment (ROI) that security brings to the enterprise. The goal is to find an acceptable manner in which to identify security as an asset and to determine the value in real dollars to executive level teams, board members, and shareholders. By doing so, many practitioners feel that they can get away from the fear mongering approaches that many security vendors and staff members have taken in the last several years to justify security expenditures and value.
While many of these projects have been creating serious inroads to a true methodology, they are generally in their infancy. The word on the street amongst CFO, CIO and CEO level managers is that the methodologies are a good step forward, but that they still require more research, validation, and assessment before they become useful as true decision making tools and enterprise impact players. These types of arguments are very similar to the objections that actuarial tables faced in the insurance industry before finally emerging as the primary means for determining risk factors and rates of occurrence that make them so popular today.
Two interesting means of identifying security ROI have emerged as possible solutions to the problem. The first methodology uses an aggregate system of vulnerabilities and risks and compares them against the level of compromise that attackers can achieve, the level of financial risk such compromises pose to the organisation and the frequency that such weaknesses get exploited. These factors are then weighted, scaled, and evaluated to determine the expected ROI of mitigating the risks throughout the various lifecycle of the vulnerabilities.
The second methodology uses a laboratory model to evaluate various information security systems risks and the impact they impose upon the environments under attack. The data gathered is then compared against baselines to determine whether specific risks should be mitigated or handled through detection and response. Both of these systems show promise for real life applications in the future. In addition to the duo, more than ten other methodologies are being explored, developed, researched and peer reviewed.
What does all this mean to your organisation? It means that the basis for expressing risks and mitigation factors in executive level terms is beginning to emerge. While none of the systems available today are ready for prime time, the work is quickly proceeding and now might be the time to begin to research and evangelise such methodologies.
We may find the executive doors are more open, and perhaps the wallets too, if we can begin to truly explain how information security can improve the bottom line, empower business, and be an accepted form of risk management with real terms and figures instead of FUD. Now is certainly the time to explore these new options and begin to fit more closely with some of the executives' more traditional expectations.
Brent Huston earned his Associate of Applied Science degree in Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. His 12 years of professional experience has demonstrated his knowledge of cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing, and hacker techniques. As President and CEO of MicroSolved, he and his staff have performed system and network security-consulting services for Fortune 500 companies and all levels of governmental facilities. He is an accomplished computer and information security speaker, published numerous white papers on security-related topics, and worked as co-author and technical editor of the book "Hack Proofing Your E-Commerce Site" from Syngress Publishing.