Last week, we pointed to a post from Andy, IT Guy, about the concept of “Failure of Investment” to measure security initiatives. As this idea has taken root and inspired some discussion among other bloggers, this week we’ll explore the reaction to Andy’s idea.
From Uncommon Sense Security…
FOI, Failure of Investment
Jack Daniel supports Andy’s FOI theory and offers some supporting evidence from his work with a variety of small to mid-sized companies.
From Security Provoked…
Failure-on-Investment a More Accurate Measure of Security?
Sara Peters, meanwhile, is a bit more skeptical. She argues that for some companies, there are more factors that stakeholders find important other than the technical success or failure of a security investment – savings due to meeting regulatory standards, for instance.
From Andy, IT Guy…
FOI in depth
Andy responds to the ongoing discussion and Sara’s challenges by reiterating that measures other than FOI are beside the point. Compliance is not its own reward, after all; it’s a means to an end – the end being actual protection of data. “Security for the sake of security is no security at all,” he says.