« Architecting the Ultimate Control Point | Main | Reconcile This »



"They should never, ever have to justify themselves to the business with a ROI case"

I disagree.


Andrew Hay

I disagree with the ROI justification point as well. This perception of practitioner is right and business is wrong demonstrates exactly what is wrong with our industry.


They just need to estimate metrics they feel confident they can reach and ask the biz types to put a value on those metrics, if they are achieved.

If they're sloppy at estimating what they can really do & they miss the mark, shame on them. If they hit the mark and the "return" wasn't what biz hoped for, shame on biz.


I'd like to see more discussion on how that ROI item is disagreed with.

I'd hope it wouldn't be as easy as, "security done early in development is less costly than security done later."

The comments to this entry are closed.