September 03, 2008

Yet more evidence: your CISO needs an MBA

I have in the past presented the strawman that your CISO needs an MBA. Nobody has yet succeeded in knocking it down, and it is proving surprisingly resilient. Yet more evidence comes from Bruce Schneier's blog post of yesterday:

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too. Many corporate customers are demanding ROI models to demonstrate that a particular security investment pays off. And in response, vendors are providing ROI models that demonstrate how their particular security solution provides the best return on investment.

It's a good idea in theory, but it's mostly bunk in practice.

Bunk is wrong. Let's drill down. It works this way: NPV (net present value) and ROI (its lesser cousin) are a mathematical tool for choosing between alternate projects. Keep the notion of comparison tightly in your mind.

The tools measure the money going in versus the money going out in a neutral way. They are entirely neutral between projects because NPV is just mathematics, and the same mathematics is used for each project. (See the top part of Richard's post.)

Obviously, any result from the model depends totally on the inputs, so there is a great deal of care and theory needed supply those proper inputs. And, it is here that security projects have the trouble, in that we don't have a good view as to how to predict attack costs. To be clear, there is no controversy about the inputs being a big problem.

But, assuming we have the theory, the process and the inputs, we can, again in principle, measure fairly across all projects.

That's how it works. As you can see above, we do not make a distinction between investment, savings, costs, returns or profits. Why not? Because NPV model and the numbers don't, either.

What then goes wrong with security people when they say ROI doesn't apply to security?

Before I get into the details, there's one point I have to make. "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.

Or, or here:

The bottom line is that security saves money; it does not create money.

It seems to be that they seize on the words investment and returns, etc, and realise that the words differ from costs and savings. In conceptual or balance sheet terms, they do differ, but here's the catch: to the models of NPV and ROI, it's all the same. In this sense, we could say that the title of ROI is a misnomer, or that there are several meanings to the word "investment" and you've seized on the wrong one.

If you are good at maths, consider it as simply a model that deals equally well with negative numbers as well as positive numbers. To a model, savings are just negatives of returns.

Now, if your security director had an MBA, she would know that the purpose of NPV is to compare projects, and not anything else, like generating returns. She would also know that the model is neutral, and that the ability to handle negative numbers mean that expenses and savings can be compared as well. She would further know that the problems occur in the inputs and assumptions, not in the model.

Finally, she would know how to speak in the language of finance, which is the language that the finance people use. This might sound obvious, but it isn't so clear. As a generalism, it is this last point that is probably most significant about the MBA concept: it teaches you the language of all the other specialities. It doesn't necessarily make you a whizz at finance, or human resources, or marketing. But it at least lets you talk to them in their language. And, it reminds you that the other professions do have some credibility, so if they say something, listen first before teaching them how to suck eggs.

Posted by iang at September 3, 2008 10:09 AM | TrackBack

And Finally, she would also know, in her heart, that this is all bunk which is used to justify a decision that everyone knows make sense. Otherwise known as the cost of doing business.

Let us take the case of opening a bank branch in an area where a bank doesn't have any presence. A fat lot of good an ROI approach would do you in this case. But you will generate one to proove that it makes business sense to all the people that matter....

Ditto, CRM implementations etc. The only place this works is in cases where the cost savings/ revenue increases are direct and quantifiable. For example, investment in better machinery that can produce 20% more tin cans in a day, while savings 10% on electricity and 5% on material inputs...

Posted by: Anonymous Coward2 at September 5, 2008 08:33 AM

AC2, you provide yet more evidence. The thing is, when you decide to open a bank branch, it will cost you money. The question then is, why not spend the money on something else?

Everything can be reduced to an estimate of how much this bank branch will earn you in the future, and how much it costs you to build. You do have that data, because you did it before. You can calculate how much this is worth, with the model.

Where the model then makes *more sense* is if you were to compare BB1 with BB2. If BB1 is in a more expensive neighbourhood, with the wrong clientele, then the estimates will show slower growth, more costs, less NPV. If BB2 has cheap rents and your target market, faster uptake and lower costs will factor back to better NPV. In this case, because the subjects of the model are very close, the differences can be shown clearly.

Or, you could just throw the money around and hope it works. Call it the cost of doing business. She knows what she wants, and everyone agrees! Hey, I've got a subprime for you to throw it into, you know you should....

Posted by: Iang at September 5, 2008 09:10 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.