The Myth of ROI
An internal news clipping service led to a Google search, and I eventually found the original article “Information Security ROI: Not Every Expense Is an Investment”:http://www.metagroup.com/cgi-bin/inetcgi/jsp/displayArticle.do?oid=41867 by Tom Scholtz of “the META Group”:http://www.metagroup.com/.
bq. “Organizations should not consider every expense to be an investment,” adds META Group analyst Chris Byrnes. “Many security expenditures are completely valid and necessary and even legally required, but they are not investments that will produce a quantifiable return. In many instances, ‘What is the return on investment?’ is simply the wrong question to ask.”
This is true of many more things than Information Security, or even IT. Money is not always the right measure; sometimes it’s completely misleading (this is particularly true of environmental issues, but that’s a separate rant).
I’m glad to see someone “official” saying this for a change…
(The META Group article was originally published on 17 July 2003; why is it making the news in September?)
Actually, pretty much no one “gets it”, from what I could see in the discussions attached to your links.