I just read this post by Richard Bejtlich at Taosecurity. Basically, a guy was trying to come up with an ROI for security, trying to show management where security adds value in actual dollars. Richard is correct that there really ain’t no such animal.
I have never figured out a way to show my CEO or CFO value for putting in an IPS. I can show how it fills a security gap or helps us comply with HIPAA (though when you come up with a concrete definition for that one, let me know). But I cannot show him that the IPS will pay for itself by adding value to our company. Like Richard points out, security is insurance. The IPS will only pay for itself if it prevents an attack that would have cost the company more than what we paid for the IPS.
Of course, the problem with that argument is that you never really know what an attack would have cost you. Yes, you can quantify an asset and tell the CFO that it will cost the company $50,000 if it is lost. But not many execs put stock in something that MIGHT happen or what it MIGHT have cost. They want numbers.
Vet
Watch the video below. I have heard and read some stuff about this, but this video really tells the tale. It seems professionally done. The people all seem very genuine and not actors, or they are very good actors.
Just a few of my thoughts on the issue:
- This is from a foreign country, so I don’t know if the insurance issues are the same here in the states, but basically the concern was that if there are no signs of burglary, then your insurance company won’t pay a claim.
- The claim was that this was the end of security for physical locks. I think this is a little bit of the ol’ FUD game, but hearing it from an experienced (30 years) locksmith makes you think a little bit.
- It brings out the need for layers in security. An alarm system is a fairly good layer, even in houses. At least it will deter some low-level crooks, which are your typical crooks in home burglaries.
- When it comes to businesses, they will need to start looking into alarms and better locks (keypads, etc.)
- And the overall lesson, no matter what you do, if someone is determined to break in, they probably will. All you can do is your best.
[gv data="7Uv45y6vkcQ"][/gv]
