We'll set you on the path to succeed in building and using ROSI as atool to sell security, with a simple three-step primer. Trust us, yourCEO will think it's worth it.

Step 1: Rethink Your Assumptions

Exostar's Nigriny is clearly not in the majority when it comes tosecurity professionals and ROSI. The defeatist shrugs that accompanyconversations about ROSI have become conventional wisdom. "Most execswant hard numbers to make financial decisions, and we live in a worldwhere you can't always have that," says Rich Mogull, research directorat Gartner G2 Cross-Industry Research. "I mean, what's the ROI of afire extinguisher?"

According to one study the American Society of Safety Engineers (ASSE)cites, the ROI of fire extinguishers is in fact about a $3 return forevery $1 invested if you take fire extinguishers as part of a largercorporate health and safety initiative--which you should, since fireextinguishers (like IT security) rarely show up as a discrete securitypurchase. (For the sake of our argument, ignore that Mogull's exampleis hamstrung by the fact that, often, regulation mandates fireextinguishers.)

The point here is ROSI can be calculated and is being calculated. Todo so with information security, though, there needs to be adeliberate effort to rethink some of the industry's assumptions andcultural biases. Specifically, there are two biases that need to beeliminated: