ROI for security implementation

[avnoidea]

Hi.

Does someone know, what are the variables to consider, when calculating the ROI to convince top management to seek ISO17799 certification?

Thanks

[Arviragus]

One of the reasons we persued it was the fact that a number of our partners wanted to audit us before they "got into bed with us", so to speak. We didn't want them to get access to all our dirty little secrets, nor did we want to go through this process every time we hooked up with a new partner. As such, we decided that by acheiving this accreditation, we could provide assurance to our partners of our security processes and practices, and we wouldn't have to allow all those external companies access.

ROI - saves time and effort, provides assurances to partners.
_________________
Cheers,
Arviragus

"Paranoia is the only sane approach. In this business, you would be crazy not to be paranoid."

[artdeco]

As an auditor/consultant for ISO 17799 I must say that I have never seen a ROI or ROSI (Return on Security Investment) defintion that really made sense to me because of the unusually high degree of speculation when calculating the return. The return is usually not even measurable because it may consist in: (a) hightened awareness and therefore faster incident response, (b) less actual damage (e.g. because virus protection was implemented and had not been there before), (c) avoided damage, which is hardly quantifiable.

Just to convice top management, here are two approaches that usually work:

1.) Put the investment cost and a reasonable damage figure opposite each other. Even the most stubborn CFO will usually quickly understand the message.

2.) Make it clear to management that it's THEM who go to prison in case of a violation of compliance, not you.

cheers,
Mike