Comments on Insecure Magazine #11: Security ROI/Enablement and Schmidt Interview

Insecure Magazine 11 was released earlier in May 2007.

I read through it and two articles caught my eye. As a coincidence, both relate to my paper on Virtual Trust that was also published in the 9th edition of Insecure Magazine.

The first was Security Economics (55-57). The second was the Howard Schmidt interview (23-24).

My hopes for the security economics article were much higher than what was delivered. The same thesis InfoSec ROI thesis was revisited: cost savings is an ROI and may be used to justify security in an economic sense. This is then called security enablement.

To enable means to “render capable or able for some task.”

ROI can be defined in at least two ways: 1) ROI refers to the amount of profits or savings a business will realize from any given use of money. Or 2) [ROI] refers to the percentage of profit or revenue generated from a specific activity. A nice explanation of ROI: “The profit or loss resulting from an investment transaction, usually expressed as an annual percentage return. ROI is a return ratio that compares the net benefits of a project verses its total costs.”

My personal take is that when the concepts of ROI and enablement are linked, we really want to discuss increasing revenue through the creation of a new revenue stream. When we normally think of enablement we think of putting something new in place; we think of the installation of a new system / workflow / cash flow to create a new line of business or expand an existing business. When we think of cutting costs, we think more in terms of replacing something that already exists with something more efficient: replacement not enablement. Sometimes we think of cutting cost as removing something completely and not replacing it at all.

I will grant that we also think of installing systems to increase productivity, removed redundancy and streamline the business process to cut costs. Maybe it’s just my perspective that I generally do not associate this process as enablement. I view enablement as the increase of something positive rather than the reduction of something negative. I will also grant that if we view ROI as strictly a return ratio then this reasoning may need to be reworked because anything that increases profit will have a positive ROI.

Could these lines of thought be the reason others also do not tend to accept the InfoSec ROI enablement argument? Or, is it simply that certain (if not all) security functions will never increase profit in any way and are purely an expense?

The Virtual Trust paper I co-authored seeks to describe how security can be used in such way as to increase revenue, not just decrease costs. I hoped that I would be reading more about the revenue generating side of the house.


In regards to the Schmidt interview, he is quoted in response to a question about general government security fears:

2)The ability to investigate situations where their citizens fall victim to online crime and in turn do not trust the internet which in turn reduces their confidence in building a more robust ICT environment.

On June 4th I will be using Virtual Trust as a model to discuss this exact point at the UN (schedule).

Post a Comment

Your email is never published nor shared. Required fields are marked *