The biggest challenge for security managers is to demonstrate the value added of security.  It is not an easy task for risk management to argue the return on security investment (ROSI), but it is certainly not a mission impossible.

In many organizations with a lower maturity in security risk management the link between investment in security and the value added is not sufficiently explained and justified.  Costs for security are therefore regarded as a necessary evil, mainly to meet legal obligations. In more mature organizations the link between security and the value added are well understood, therefore investments in security are related to the protection of value already created within the organization. Continue reading →