I hate ROI
July 18, 2007
So, over at Anton’s blog, there’s a good roundup of the discussion of ROI in security. And Anton (among others) comes to the conclusion (with the help of his Economic Ph.D. wife) that there’s no way to have ROI from a product in security.
And I have to say, he’s right, because what he’s talking about isn’t ROI in economic terms.
And he’s wrong. Because the question of whether bringing in a product enables a business to make more money (whether by top-line growth or bottom-line cost reduction) is what’s important, whether we call it “return on investment”, “rate of return”, “cost savings”, or whether we call it cash in the bank.
Let’s create an example that Anton can’t help but love.
Suppose we have a business that’s just breaking even – the company isn’t making money or losing money. But they employ a team of 15 people to read the logs on their systems, each of whom are paid (fully-loaded) $100K/year.
Now, suppose the brilliant CISO of our fictional organization calls Anton, and brings in Log Logic at a cost of $100K. Our CISO then fires 14 of the 15 log watchers.
Over the course of the year, the company now posts a profit of $1.3 million dollars (by not paying the salaries of the 13 fired people). (Note: this ignores severance, etc. for simplicity).
Now, did the product produce a return on the investment of $100K into it? You’d be hard-pressed to say that increasing company net profit by $1.3M as the result of a purchasing decision is not a return on the investment.
But the pedantic ones out there are right: it’s not strict “ROI”.
But I don’t care about ROI. I care about $1.3M profit. Call it whatever you want – whenever you invest in something that enables you to bring in more money or reduce costs, it’s a smart decision, whether you can calculate it as strict ROI or not
Comments
3 Responses to “I hate ROI”
Exactly.
IRM can build all sorts of value proposition statements that smell like ROI, and Ken Belva can talk to PhDs who claim that there is IRM ROI, but at the end of the day – whatever calculation you come up with has to be defensible.
That’s the punchline to an old physics joke about horse racing – it reflects the often-times unrealistic expectations we make when creating academic models for real-world performance.
I got thinking about this after Ken emailed me about his blog post a
Hi Mike,
This is a good example of cost savings. And, contrary to what you might read elsewhere, I agree this is a *good thing*. I disagree with being called pedantic. If we security people expect real business people with sound financial understanding to respect and listen to us, we should be using their terms properly and not inventing our own definitions. (I’m not saying you are at fault here, since you recognize what real ROI is.)