Return on investment (ROI), from a business perspective, is elementary: You spend money with the expectation that you'll make back the same amount, plus some revenue gain. An e-commerce server that costs $20,000 and processes $100,000 in transactions will have a $80,000 ROI, or 400 percent.
Security is a cost center like human resources, the mailroom and facilities; it doesn't generate revenue. Even here, though,
The same logic is applicable to most any security process: services vs. in-house operations, or help desk vs. manual password resets, IPS and incident reductions. If the savings is greater than the product's TCO, you have positive ROI.
Generally speaking, ROI is gained by increasing the productivity of your IT staff through automation and reducing recurring, predictable incident costs. Frequent incidents and their associated response costs are a factor in some security spending, such as antivirus and antispam, in which ROI is an evaluation of operating costs under different conditions, such as running a network with and without AV.
- Review these resources on security ROI.
- Learn best practices for achieving ROI for security spending.
- Learn strategies quantifying security risk.
Note: This article originally appeared on Information
This was first published in February 2005