Return on security investment – proving it's worth it

Abstract

The pressure is mounting on security professionals to justify what they spend. But up to now proving return on investment has proved very tricky – and frustrating. Certain methods of demonstrating a return on investment - often termed return on security investment (ROSI) – have been advanced, but use remains limited. As a result, security projects are often justified on fear, uncertainty and doubt. Justifying investment can be problematic because information security often delivers non-financial benefits, rather than an increase in revenue or a reduction in costs. Also, there is a lack of clear guidance about calculating the financial benefits of information security activities – not to mention the fact that security professionals usually don't have a financial background. Before reviewing some key purchasing trends, we take a look at a fresh approach, backed by many global corporations, to getting ROSI on track. In today's business environment, security professionals are increasingly under pressure to justify the investments made in information security by their organisations. Various methods of demonstrating a return on investment – often termed return on security investment (ROSI) – have been advanced, but use remains limited. As a result, security projects are often justified on fear, uncertainty and doubt.