The Security ROI "Death Spiral"

Sunday, November 18, 2012

Rafal Los


Every once in a while I have a conversation with one of my CISO colleagues that's so good that I have to convince them to write an article here for the blog and to share their viewpoint.  Not many of them can share their experiences, unfortunately, and even less get to use their real names.  This post comes from someone some of you may know, but most probably don't ... and they are really, truly the kind of CISO that an enterprise would be lucky to have.

A little bit of background first... I used to believe in ROI (return on investment) as a reasonable way to demonstrate the value of Information Security investment.  Over the last few years I've changed my own mind, partially because others have shown me the error of my ways, and partly because I now know better ... so when this conversation started you know I was excited!

Without further ado ...

A Fortune 500 CISO writes...

The worst thing that can happen to a CISO is to get trapped in the ROI Death Spiral. I know, I know, we’ve all been told that we need to justify cost, manage expense, use the tools our companies provide us, etc. CISOs that don’t play by the rules won’t get anywhere.

Well, that’s all true. If you don’t manage your expenses, live in a budget and produce value, you are in deep trouble. And one clear way to know you are in deep trouble is that your CIO or CFO is demanding you show the ROI before they let you spend money. You see, an ROI study done before spending money is a trap to prevent you from spending money. On the other hand, one done after spending the money is a way to show that the project was a great idea in the first place.

The bottom line?

When folks in your organization want you to do things like an ROI study (or checklists, compliance reviews, and all other manner of non-security stuff), it means they don’t think you’re adding value. Once you get on this path, you are going to be in the ROI Death Spiral. Projects won’t get funded, you won’t get new headcount, the squeeze will be put on your operating budget.

You, sir, are in big trouble.

The only solution? Figure out how to add value, make your company better, stronger, faster. That’s the only way out of the cunning trap your CFO has built for people that he thinks aren’t adding value and delivering on promises. Or live in the ROI Death Spiral.


Great insight, from someone that would certainly know.

What do you think?  Have you ever been caught in an "ROI death spiral"?  I'd love to hear your experience whether it agrees with this CISO, or completely contradicts... you know how to get a hold of me.

As always, please do leave your Twitter handle if you're leaving a comment ... I'd love to give you proper credit.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Budgets ROI CISO
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.