Infosec is a seemingly fractious bunch, but there are two things you can basically get almost everyone in the industry to agree with:
1. They should never, ever have to justify themselves to the business with a ROI case
2. They need more money from the business and don't understand why it is so hard to get
"They should never, ever have to justify themselves to the business with a ROI case"
I disagree.
:)
Posted by: Alex | October 13, 2010 at 06:43 PM
I disagree with the ROI justification point as well. This perception of practitioner is right and business is wrong demonstrates exactly what is wrong with our industry.
Posted by: Andrew Hay | October 13, 2010 at 10:44 PM
They just need to estimate metrics they feel confident they can reach and ask the biz types to put a value on those metrics, if they are achieved.
If they're sloppy at estimating what they can really do & they miss the mark, shame on them. If they hit the mark and the "return" wasn't what biz hoped for, shame on biz.
Posted by: TexAnne | October 14, 2010 at 01:57 AM
I'd like to see more discussion on how that ROI item is disagreed with.
I'd hope it wouldn't be as easy as, "security done early in development is less costly than security done later."
Posted by: LonerVamp | October 19, 2010 at 11:37 AM