….or at least I’d like to kill it.
I wasn’t going to comment on this whole parade of postings, but the camel’s back just broke. So here goes.
The first post I saw was No ROI? No Problem from Richard Bejtlich. I read it and thought that sounded in line with my understanding. Good enough.
Then Richard followed up with Security ROI Revisited to further the conversation.
The feed reader then produced Cutaway’s Security ROI is in the Eyes of the Beholder.
Also I caught Anton Chuvakin’s Security ROI Pile-Up! that hashes through several posts and some ‘in-house’ experts.
Finally we come today with Mike Murray’s I hate ROI.
I’ve got to start with the most foundational understanding I have, and that is that spending money is not the same as investing. An expense is not an investment. Investment is defined as “the investing of money or capital in order to gain profitable returns, as interest, income, or appreciation in value.”
Mr. Murray makes an example using a company that purchases a product for $100k that displaces $1.4M worth of payroll employees. He asks:
Now, did the product produce a return on the investment of $100K into it? You’d be hard-pressed to say that increasing company net profit by $1.3M as the result of a purchasing decision is not a return on the investment.
The problem is it wasn’t an investment in the first place. Yes, the fictitious company did cut costs, and of course that trumps ROI anyway. But let’s not call spending money on the overhead of a business an investment.
If we have to have yet another three letter acronym, let’s start using DUH. On second thought, that’s not an acronym. Still it works. “DUH, saving money is a good thing.” “DUH, protecting our butts might be smart.”