ROI--There, I said it
Return on investment (ROI) is getting more than its normal share of attention these days. There are the supporters who think no decision should ever be made without a clear ROI. These folks are the type who build up a small number of minor ailments before going to the doctor (my hand is raised on this one). Then there are the detractors who think ROI is so overblown that they would willingly spend more just to prove that ROI doesn't exist.
In the security world, we have been granted a bit of immunity, primarily because security is often seen as "insurance." Because we understand there is a "higher calling" to security -- protecting information assets that are much more valuable than most people realize -- we have exempted ourselves with the excuse that security isn't about ROI, it's about protecting one's assets. These days we even talk about return on security investment (ROSI) to take credit for the value we provide without necessarily having to conform to the same rules that everyone else does.
THE HURWITZ TAKE: The notion that you can't get ROI from security solutions is hogwash. ROI is about increased efficiency and effectiveness of activities. To say that you can't get an ROI assumes one of two things: you are completely efficient and effective in your security operations or you don't perform security activities at all.
The way to get ROI from security is to understand those security-related activities that will be impacted by a solution. A firewall gains ROI because it reduces the need to configure access control lists (ACLs) on routers and hosts throughout the enterprise. Intrusion detection gains ROI from the costs associated with manual inspections of logs and deployment of sniffers to trace an intrusion.
A confession: I was one of those people who thought certain aspects of security provided no calculable return, primarily because I wanted to shout from the rooftops that our information assets have value that needs protecting. The great news is that we can gain ROI based on our daily activities and then benefit even more by taking into account a risk reduction.
Copyright 2002 Hurwitz Group Inc. This article is excerpted from TrendWatch, a weekly publication of Hurwitz Group Inc. - an analyst, research, and consulting firm. To register for a free email subscription, click here.
For More Information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.