[ISN] Security Expected To Take A Larger Bite Out Of IT Budgets
isn at c4i.org
Wed Jun 9 06:07:33 EDT 2004
Forwarded from: Nick Owen <nowen at wikidsystems.com>
ROI is a poor measure for all financial decisions. Information
security just demonstrate it's major weakness - it ignores the cost of
capital. What risk management projects do is reduce the cost of
Say you have two projects, one costs $1,000,000 and saves $100,000 a
year; the other costs $100,000 and saves $10,000 a year. Which do you
do? ROI and payback are the better for project A. However, what if
project A is far riskier than project B? If your cost of capital for
project A is 12%, doing project A is a *bad idea* because is creates
only $833,333 in value. If the cost of capital for Project B is less
than 10%, it is a good idea. ROI would have you do both.
IMO, this unhealthy focus on a very poor measure is hurting
information security. To suggest that my company should spend X% on
security because our peers do is beyond absurd. How do I best my
competition? There is no need for new ways to measure information
security, they exist already: ROIC, EVA, etc. anything that includes
at the cost of capital.
WiKID Systems, Inc.
Two-factor authentication, without the hassle factor.
InfoSec News wrote:
> By Antone Gonsalves
> TechWeb News
> June 7, 2004
> Spending on security-related technology is expected to increase over
> the next couple of years, leveling off at 5 percent to 8 percent of
> the IT budget of global 2000 companies, a market-research firm said
> Security spending takes up from 3 percent to 4 percent of IT budgets
> today, the Meta Group said in a report on calculating
> information-security spending. That amount, however, is expected to
> increases at a compound annual growth rate of between 8 percent and 10
> percent through 2006, before reaching a plateau.
> In general, information security doesn't have metrics for return on
> investment that's been adopted across industries.
> A chief financial officer typically defines ROI as dollars spent
> balanced by additional revenue or accrued profit, but "security
> doesn't generate revenue or improve profits in a predictable manner,"
> Meta analyst Chris Byrnes said.
> Therefore, Meta recommends that companies look to best practices in
> their industry as a way to determine how much they should spend as a
> percentage of their IT budgets.
More information about the ISN