We had a fun bloggie style discussion on measuring the value of security programs a while back. All attempts to do so always run into problems measuring the cost or the benefits. Everyone talks as if businesses make business decisions based on hard facts used to scientifically calculate return on investment or hurdle rates or discounted cash flow, but if you dig into most of those you find a lot of squishy assumptions as the foundation of the analysis. Security is no different – we just don’t have the cover of good spreadsheets, though ROSI is a start.
It invariably comes down to driving change – we know there are weaknesses in our security protections or the business side knows that security policies are inhibiting business. We’re both trying to drive towards the balance of where security costs to contain risks are balanced with business needs to take risk. Since the threats and business conditions change constantly, it is a constant negotiation – like pretty much the rest of life. That doesn’t means security is just a journey, not a destination – it means every time we reach a destination we need to be prepared to pick the right path to the next stop.
Security Spending Sweet Spot
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment