So, over at Anton's blog, there's a good roundup of the discussion of ROI in security. And Anton (among others) comes to the conclusion (with the help of his Economic Ph.D. wife) that there's no way to have ROI from a product in security.
And I have to say, he's right, because what he's talking about isn't ROI in economic terms.
And he's wrong. Because the question of whether bringing in a product enables a business to make more money (whether by top-line growth or bottom-line cost reduction) is what's important, whether we call it "return on investment", "rate of return", "cost savings", or whether we call it cash in the bank.
Let's create an example that Anton can't help but love.
Suppose we have a business that's just breaking even - the company isn't making money or losing money. But they employ a team of 15 people to read the logs on their systems, each of whom are paid (fully-loaded) $100K/year.
Now, suppose the brilliant CISO of our fictional organization calls Anton, and brings in Log Logic at a cost of $100K. Our CISO then fires 14 of the 15 log watchers.
Over the course of the year, the company now posts a profit of $1.3 million dollars (by not paying the salaries of the 13 fired people). (Note: this ignores severance, etc. for simplicity).
Now, did the product produce a return on the investment of $100K into it? You'd be hard-pressed to say that increasing company net profit by $1.3M as the result of a purchasing decision is not a return on the investment.
But the pedantic ones out there are right: it's not strict "ROI".
But I don't care about ROI. I care about $1.3M profit. Call it whatever you want - whenever you invest in something that enables you to bring in more money or reduce costs, it's a smart decision, whether you can calculate it as strict ROI or not