Tuesday, 24 July 2007

Back in the saddle

Hola amigos! I'm back from a splendid holiday in Italy, and straight onto the computer to see what's been happening whilst I've been away. Well, from what I can tell, not much.
It seems that the iPhone has been cracked but Jon still loves it. Until I get one, I'm torn. Anyone who wants me to try it out, just send me one, no problem.

Apart from this, there seems to be some sort of odd argument about ROI in security in almost every blog I read. Latterly, I've read Anton Chuvakin's post with the usual befuddlement, and came to the conclusion that none of the people he mentions in his post really has a clue what they are talking about (with maybe the exception of Hoff), or why they are doing so at least.

What isn't explained very clearly anywhere in what I've read so far is that fact that ROI in security is not the ROI of accounting, or even the ROI of finance in general. Ask an out-and-out economist what ROI means and they will tell you something along the lines of "ROI is the ratio of money gained on an investment relative to the intial outlay". Not saved, gained. And this is where the great semantic debate has started. But just because the economists are the ones who study money, doesn't mean it applies to what we need the term for. We need it to sell security, so tell them to stick their necks back in, or I'll come and start showing them how the "Safety" tier of Maslow should be subject to PCI DSS.

Investment in security will never help you sell more widgets. We know this. There are many idiotic examples of people not investing in security because of this. We also know that in many cases after breaches, companies have actually performed better because of their new-found exposure in the press. These are false economies however, and once it starts to become more commonplace to be attacked, the bottom will fall out of this sort of argument. You can still make savings with well considered security investments.

It's still your basic P&L spreadsheet. And if you (as a CSO) can show your CFO that the spreadsheet will go from negative to positive, or small positive to less small positive in an amount of time "x", then you have a basic ROI argument. Just because security ROI is based on not spending money you have previously spent, doesn't mean it's not a "return" on the "investment" in any other terms than linguistics. It's a negative spend (or "save" as we say in English) rather than a positive gain, for sure, but even the thickest of economists must be able to get the "return" on that "investment".

I don't really see that it needs much more discussion, for the sake of boredom rather than anything else. I'm sure Dr. C has done much more complicated sums than I in his career and I'm certainly not prepared to get into a "who's got the biggest brain" contest - it's Anton, by around 10lbs, that's why he can call himself Dr. - but this really is a non-starter for me. It comes down to words at the end of the day, and whilst you lot are picking holes in other people's laziness, they are making their fortunes from what was only ever meant to be a sales tool.

The point is, everyone knows what ROI means in this context, and if that works, why bother trying to rewrite the rules? Every finance house, government organisation, retail store, healthcare or pharmaceutical establishment has rules around purchasing which they know internally as "ROI". Typically, for example, a bank will buy a network item (software or hardware), if it can be proven to "pay for itself" within 9 months. Government give a little more time, it varies, but usually a year and a half or more. This is what we mean by ROI, and if you can't produce the figures to talk to these people, you won't get further than meeting 1. You all know this. Why do we need to talk about what the terms mean? Who cares whether it's RROI, ROSI, fake ROI, blah blah. You're just going to confuse people and look like a smart-arse/ass/Alec.

When I left for Italy I was disappointed in what I was seeing in security in general, and ready to throw in the towel. Now I'm back, the towel is still in my hand. When the smartest guys in the business are discussing English Language instead of Maths, Crypto and Linux, we're in trouble, at best we're bored, at worst we are lost and have no idea where to go next. I want to be confused because you're talking out of my league (like normal), not out of my subject.

'Sgood to be back. :)

No comments:

MadKasting