Lets face it security can be expensive and when trying to implement a security system that is going to cost big bucks the company needs to know what it is they have to gain. ROI is important because it can show whoever your working for the benefits of their investments in a particular security set up. Seeing the amount of money they will save after implementation can show the advantages of having the security system as opposed to not having it.

As an architect, you must be able to relay the return on investment to upper management so that your ideas will be accepted. It is important to explain the value of your ideas so that it is clear there will be a return on the investment. Also, with any system that is designed, the goal is to have some sort of ROI in order to generate what is important to the business over time.

ROI and OS security Architecture are basically two peas in a pod. As one of our previous professors said, if you can't sell security to upper management then you have no place in security. ROI is all about what are you going to get back for what you put in to it. This is where soft skills come in great need! without soft skills being able to sell this to upper management and get the ROI is never going to happen.

Upper management will need to understand that ROI will not always be tangible or come in the form of monetary value. Instead it could be the potential of security infractions that could potentially go wrong but have not occurred. They haven't occurred because of the security architecture that is in place.

ROI for Security Architecture is a way to measure how much we can spend on a security system, which protects data valued at an X amount of dollars. As it was mentioned several times in class, we should not spend $1million on $100,000 worth of data. The problem on estimating how much return on investment we can get from a security system, is that sometimes data which does not have a significant dollar value attached to it, might be worth much more in company reputation, or have a significant intellectual value, both of which are hard to measure. In order to actually measure the ROI for the system we implement after a dollar value has been assigned to the data, we have to protect it for certain period of time from being stolen, leaked, erased, modified, or otherwise compromised.

Security is very necessary in business today. The best why to see your return on that investment is to quantify the actually amount of dollars that would be lost if hacked. Ask the question what would be the total damage if a breach occurs. What is our reputation worth? If you are a bank or a credit card company how many customers would you lose from the damaged reputation. What would the down time in man hours cost. How much money would be lost during the time the systems where down if attacked. Your return is the amount of money you did not lose. This could be millions of dollars in savings for a few hundred thousand dollars spent on security. When we look at it this way I think we can easily see our return on investment.

Its hard to actually show ROI with IT security, but the best way to do it is show what the cost is up front to implement your design, hardware, and labor hours.  Then you show the cost of cleanup, remediation, and recovery when a business doesn’t implement some type of IT security.