The Business Justification for Data Security- Version 1.0

By Rich

We’ve been teasing you with previews, but rather than handing out more bits and pieces, we are excited to release the complete version of the Business Justification for Data Security.

This is version 1.0 of the report, and we expect it to continue to evolve as we get more public feedback. Based on some of that initial feedback, we’d like to emphasize something before you dig in. Keep in mind that this is a business justification tool, designed to help you align potential data security investments with business needs, and to document the justification to make a case with those holding the purse strings. It’s not meant to be a complete risk assessment model, although it does share many traits with risk management tools.

We’ve also designed this to be both pragmatic and flexible- you shouldn’t need to spend months with consultants to build your business justification. For some projects, you might complete it in an hour. For others, maybe a few days or weeks as you wrangle business unit heads together to force them to help value different types of information.

For those of you that don’t want to read a 38 page paper we’re going to continue to post the guts of the model as blog posts, and we also plan on blogging additional content, such as more examples and use cases.

We’d like to especially thank our exclusive sponsor, McAfee, who also set up a landing page here with some of their own additional whitepapers and content. As usual, we developed the content completely independently, and it’s only thanks to our sponsors that we can release it for free (and still feed our families). This paper is also released in cooperation with the SANS Institute, will be available in the SANS Reading Room, and we will be delivering a SANS webcast on the topic on March 17th.

This was one of our toughest projects, and we’re excited to finally get it out there. Please post your feedback in the comments, and we will be crediting reviewers that advance the model when we release the next version.

And once again, thanks to McAfee, SANS, and (as usual) Chris Pepper, our fearless editor.

No Related Posts


Sorry it took me a few days to get back to you. I don’‘t call that ROI- by definition ROI is associated with positive returns. When you get increased efficiency/cost reduction, I call that reduced TCO and we included it in the model. Maybe I’‘m just anal, but I like to stick with a more strict definition of ROI vs. cost reduction or even net present value.

Great point about the name on the jersey and customer loss! And nice to hear you liked the paper overall.

By rmogull

Return On Investment (ROI): Repeat after me: There is no ROI for security spending. Anyone who tells you otherwise is

I think I disagree with you, and I think this is due to your overly narrow perspective of the field.  While there may not be a ROI for spending on things like DLP or other measures to prevent loss, you cannot extrapoloate that to say there is never an ROI on any security software. 

Case in point, if I buy an automated account management/entitlement system, and I can reduce the ammount of time that business users wait to get access to revenue generating systems (e.g., a CRM) I might be able to call that a return… time is money, after all.  BUT, if I can reduce the number of staff supporting entitlement requests by 2, then I can surely claim that as a return. 

You also point out that "It’s not uncommon for disgruntled sales executives leaving a company to gather up intellectual property ranging from pricing sheets to customer lists. Many of these individuals end up working for competitors, and use the data for their new employer. While they will focus their new sales efforts directly on customers of their old organization, this doesn’t mean all (or any) of those customers will switch vendors, but it certainly increases the risk and alters the competitive situation."

It is also worth considering the flipside that the customers may very well leave anyway, regardless of data theft.  Depends on if they value the name on the front or the back of the jersey more. 

Overall, worth the time to read.  I like most that it highlights the volume of securioty improvements that can be made with little to no investment.  I was somewhat worried that this would be a DLP paper, and was pleased that it wasn’‘t.

By ds

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.