Loading ...BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
-
Recent Comments
- Bouch on Who’s In Charge Here? The Problem of Information Security Governance
- SecurityExec on Who’s In Charge Here? The Problem of Information Security Governance
- dustin on Patent No. 7,124,197: ARP Poisoning Hack!
- Rob on Agility and Risk Compensation: Exploring the Connection
- Navin on Why Information Security Professionals Should Learn Texas Hold ‘em Poker
Tags
agility algorithms application security assessment awareness Awareness / Education awareness instruction awareness training bloginfosec Annoucements Books on InfoSec breach incidents Budgeting for Security business continunity CIA triad CISO CISO savvy CISO skills COBIT Coding Securely / SDLC compliance Conferences / Events / Meetups contingency plans counterfeit counterfeit equipment data breaches data breach notification laws data classification digital signature disaster recovery education Encryption end-point security equipment Exploit Code / Malware facebook fake FBI featured FFIEC Forensics / Incidents FUD FUD Theater GLBA governance government Gramm-Leach-Bliley hackers hash HIPAA honeynet honeypot identity management identity theft IDM incident Industry Commentary Information security Interviews ISACA Jobs in Information Security Johnny Long KPMG law leadership Legal & Regulatory Issues malicious insider malware metrics nation states network News Commentary No Tech Hacking OWASP Patching PCI Penetration Testing perimeter Phishing Policies and Procedures Privacy Privacy Rights Clearinghouse Reverse Engineering risk Risk Analysis risk management ROI ROSI SB 1386 Security security awareness Security Breaches self-awareness Social Engineering soft skills Solutions / Workarounds SPAM spotlight successful behaviors Tools training Uncategorized Virtual Trust Viruses / Worms vulnerability assessment Vulnerability Commentary Vulnerability Disclosure Wireless Wireless Client Wireless Discussion Wireless Security Wireless Vulnerability Discussion
Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
BlogInfoSec.com Sponsors
BlogInfoSec.com Partners
An Open Email to Mike Rothman on Security ROI
Hey Mike,
I read your post yesterday, but there is a slight bug in it!
My blog post you cite was referencing Richard’s post entitled “Are the Question Sound?“, not the security network monitoring case study.
In “Are the Question Sound?” Richard tries to give a critique of the similarities and differences between the field of InfoSec and the field of finance.
Also, in regards to security ROI, one commenter (Ryan Heffernan) makes an excellent point on Richard’s blog: see here.
While I understand the hard line approach both you and Richard take, it just seems that security ROI is a pragmatically useful concept. I even found a reference to it being endorsed by an international body: ISACA.
In the past we did agree to disagree and I respect that! We’ll just be disagreeing a bit more in the future over this particular issue. [Professionally, not personally of course. :)]
Perhaps you’ll even come around on Virtual Trust — actually a separate, although related discussion to ROI — after reading this post regarding DRM and PCI.
Don’t forget to consider what I wrote in my comments as well: If a consensus is formed around certain terminology, I will use that terminology appropriately.
I hope others are open-minded enough to change when change is called for (in either direction).
It also seems appropriate to add that the topic of conversation shifted in the comments from the main thread of the post. The main thread moved from “Why can’t risk be quantified in the Information Security field like it can be in the field of finance?” to “Does information security have an ROI?” While the later question is important to ask, perhaps we should all (myself included) pay attention to the former when that is the main thrust of the post.
Cheers and keep in touch,
Ken