Let's talk RoSI!!

So, I read an article this morning on Return on Security Investment (RoSI) and it got me to thinking. It was accompanied by the question "Can you profit from Information Security?"

Well, the answer in its simplest form is yes! Quite simply by offering Information Security services as your key business function, that is how you are generating revenue. However, I think the question sought to look deeper to target RoSI and perhaps answer the question with the the following answer. You can continue to profit through implementation of Information Security. The easiest way that I can think to show stakeholders positive RoSI is to draft a "Worst Case Scenario" and show them how Information Security investments will prevent those scenarios. Your absolute best "Worst Case Scenario", is the one that completely eliminates a revenue stream. I point this out because, as an IT Security Professional, we may not be knowledgeable to the company's financials and where profitably that is critical to stakeholders may lie. As such, we should seek to identify this information through the simplest means. Look for the scenario that when it occurs would be catastrophic in its resulting breach and would in turn lose either a client or a business function in its entirety. With this approach, it is relatively easy to show stakeholders that you can indeed continue to profit through Information Security implementations.

Full Disclosure - This is my first ever Article written on LinkedIn. Feel free to critique to your hearts desire.