The Security ROI "Death Spiral"

Every once in a while I have a conversation with one of my CISO colleagues that's so good that I have to convince them to write an article here for the blog and to share their viewpoint.  Not many of them can share their experiences, unfortunately, and even less get to use their real names.  This post comes from someone some of you may know, but most probably don't ... and they are really, truly the kind of CISO that an enterprise would be lucky to have.


A little bit of background first... I used to believe in ROI (return on investment) as a reasonable way to demonstrate the value of Information Security investment.  Over the last few years I've changed my own mind, partially because others have shown me the error of my ways, and partly because I now know better ... so when this conversation started you know I was excited!


Without further ado ...


A Fortune 500 CISO writes...


The worst thing that can happen to a CISO is to get trapped in the ROI Death Spiral. I know, I know, we’ve all been told that we need to justify cost, manage expense, use the tools our companies provide us, etc. CISOs that don’t play by the rules won’t get anywhere.


Well, that’s all true. If you don’t manage your expenses, live in a budget and produce value, you are in deep trouble. And one clear way to know you are in deep trouble is that your CIO or CFO is demanding you show the ROI before they let you spend money. You see, an ROI study done before spending money is a trap to prevent you from spending money. On the other hand, one done after spending the money is a way to show that the project was a great idea in the first place.


The bottom line?


When folks in your organization want you to do things like an ROI study (or checklists, compliance reviews, and all other manner of non-security stuff), it means they don’t think you’re adding value. Once you get on this path, you are going to be in the ROI Death Spiral. Projects won’t get funded, you won’t get new headcount, the squeeze will be put on your operating budget.


You, sir, are in big trouble.


The only solution? Figure out how to add value, make your company better, stronger, faster. That’s the only way out of the cunning trap your CFO has built for people that he thinks aren’t adding value and delivering on promises. Or live in the ROI Death Spiral.




Great insight, from someone that would certainly know.


What do you think?  Have you ever been caught in an "ROI death spiral"?  I'd love to hear your experience whether it agrees with this CISO, or completely contradicts... you know how to get a hold of me.


As always, please do leave your Twitter handle if you're leaving a comment ... I'd love to give you proper credit.

marcin marcin(anon) | ‎11-02-2012 11:22 PM

I saw IT management apply the ROI trick to decimate what they perceived as a rogue IT Sec group. 


The group was not rogue, but it has failed to realize that FUD does not work anymore and, more importantly,

it has failed to shift their focus from vague threats to the all important internal customers, which is what the business demanded.


It was a motion of no confidence -  every Security ROI came up for discussion, and most were declared to present too high of an opportunity cost. The manager was replaced with a micromanager, and the group dispersed through attrition.


ROI/ROSI, etc, are financial terms, and make no sense when blindly applied to groups that only support revenue generation. When required, especially in adverse environment, any ROI argument must be based on robust metrics, and either align with strategy that is blessed by sr management, or go lockstep with rest of the infrastructure. Otherwise arguments over judgment reduce any technical merits to pure show of political strength. 

mudhenboy(anon) | ‎11-05-2012 03:25 PM

I am currently attempting to develop infosec metrics as way for my organization to measure the effectivenss of my program.  I believe that some type of measurement is necessary to answer the question "how do you know?"  There is also a pragmatic concern here and that is as an infosec professional how do you defend your decisions/actions?  


In short I'm not sure what the best answer is and it really probably depends on the goals and objectives of the organization.    However, I do agree that ROI is more likely left to the developer/architecture folks.

Derick Winkworth(anon) | ‎11-06-2012 10:37 AM

Sony is in the billions now for the total cost of the big one.  ROI solved.

screamingbyte(anon) | ‎12-24-2012 01:41 PM

I've always wondered to myself, "How am I supposed to show ROI for something that hasn't happened yet?"  The entire purpose of risk mitigation is to prevent something from happening in the first place.

I suppose this is where it helps to mention to them that ROI doesn't apply to Infosec.  That's what the Risk Assessment is for.  I would like to point at the Risk Calculation instead:

Asset Value (AV) - we can provide the actual cost of the particular asset the assessment is for, so that's real money.

Exposure Factor (EF) - we figure out the rate at which the failure is reasonably expected to occur.

Annualized Rate of Occurrence (ARO) - multiplied by the EF

Annual Loss Expectancy (ALE) - ALE = SLE * ARO

Once we have that ALE, we can compare that against mitigation budget and determine how to approach that through...

Risk Avoidance
Risk Transference
Risk Mitigation
Risk Deterrence
Risk Acceptance

Or some effective combination.


Of course, we can't forget to stress the difference between the quantitative and qualitative assessments.  For example, looking simply at qualitative for a DMZ web server would definitely show that Risk Acceptance is probably OK, because the cost of recovery is probably less than the cost of the mitigation.  But considering the qualitative effects is to consider the damage to reputation and the embarrassment of having the website defaced, which could cause stakeholder concern, or even cause investers to balk.  Once the qualitative perspective is applied, it's obvious that far more is at stake than just the direct cost of recovering that asset.


To conclude, I couldn't agree more with "A Fortune 500 CISO", which is probably why he/she gets paid the big bucks and I just blog.  It has always seemed to me that ROI is the wrong tool for the job.  Unfortunately, those who are not T-shaped architects and are only on the business side of things only have the tools they know and they often seem to think they can apply their tools universally.  We have our own tools and we just need to make appropriate use of them and try our best to show value in a field where the value often isn't realized until AFTER something bad happens.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation