How to make IT Securty ROIs faster and more tangible?

Matt,

While there are some aspects of security that fall under the investment banner, and should thus be measured by ROI, I would submit that much of it should fall under the insurance banner, and be subjected to different metrics for success/suitability.

As just one example, an IPS is not an investment in the sense that it allows you to conduct business faster, or more cheaply. Not in a direct fashion, anyway.

Rather, an IPS is insurance that your organization will be able to continue to operate at current levels despite a well-documented increase in attacks, and preventing the loss of thousands or millions of dollars in an attack.

Perhaps the solution is to assign a negative value to different types of incidents and attacks, and then see how many such attacks are blocked or otherwise mitigated by the various security devices that are put in place. Certain items would almost immediately pay for themselves in that case.

However, the danger of relying only on such metrics is that you might come to the conclusion that because no attacks have occurred in a particular period, that the costs spent on a particular firewall or router was a waste. This is dangerous logic, and should be avoided at all costs.

I wrote an article on this less than a year ago:
http://Home.ASBzone.com/ASB/archive/2009/10/30/searching-for-return-on-securi...

Rather than trying to make the evaluation for security tools and products fit the same model as other investments, we should make it fit the model for insurance and risk mitigation. After all, what is the ROI of your company's BCP or DR plan?

Hope this helps,

-ASB: http://xeesm.com/AndrewBaker