Pay Today or Pay Later-Calculating ROI to Justify Information Security and Compliance Budgets

摘要

Why do businesses need to calculate return on investment (ROI) for information security? Is the assurance that its network/information technology (IT) infrastructure is secure not good enough? The answer is no, not when information security is viewed as a cost to the business. The only way to get the board of directors to pay any kind of attention is to address ROI. IT departments have traditionally been viewed as cost centers, though they have learned to provide a business case analysis for IT initiatives. Information security departments are trying to figure out how to do the same thing. They cannot sell security initiatives based on fear anymore. Now, they must come up with justifications, complete with the dreaded metrics or hard financial facts. The business case needs to show specifically how potential costs associated with liability caused by security breaches may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.