A Barn Door Has No ROI
When you think about it, farmers know where their assets are better than a lot of us in business. Usually, they’re in the barn. A security geek’s interpretation of the term “closing the barn door after the horses have bolted”, would probably be something like “it’s too late to take preventative action after the incident has occurred.”
But if you think on it a bit longer, you may also realize that the barn door was probably already there; it just wasn’t being used properly at the time the horses escaped. Sometimes (as in when a security breach occurs) our safeguards are in place and just not used properly, but other times we didn’t even have a barn door to close. Is it any wonder the horses got out?
As simple safeguards go, doors usually work pretty well, and they are easy for most of us to understand as examples. We don’t usually have to justify spending money on a decent door. But we don’t often thing about the fact that a door has both good and bad characteristics. For example a door can be:
- A barrier to keep the harsh outside elements from blowing into the house
- A barrier to letting fresh air into the house
- A way to protect you and your belongs from intruders
- An obvious point of attack for intruders to get in
- An entranceway for welcome visitors
- A way to prevent children (or other valued life forms) from leaving the protection of the house
Most of the time, you want the door to allow you to pass through without much trouble. But you also need it to have a security role, at least part of the time.
So, when a farmer builds a barn to house his livestock, he thinks about how big a door opening he will need to allow his assets to move freely in and out as needed. But the door closure itself has to be installed and used properly to get the “security” benefit out of it; that is usually to keep the creatures in. If he doesn’t close the door properly when he leaves and the horses are unattended, they will likely escape.
So, the farmer knows he will need a door that is easy to open and easy to close and latch. Do you know any farmers who do a Cost-Benefit or Return-on-Investment analysis on their barn doors? Does this even make sense?
Farmer John: I was just trying to figure out how I’m going to keep my horses from bolting out of my new barn.
Postman Fred: Well, you know I just heard about Farmer Cecil down the road who had the same problem last week.
Farmer John: ‘Zat so? What did Farmer Cecil do?
Postman Fred: Well, his young whipper-snapper of a son just got back from some fancy business school and was trying to tell him about something new called “ROI”. He showed Cecil that if he spent $200 on a solid steel door from Doorco, he reckoned only one horse would probably bolt over the next 20 years. He also figured out that if he spent $25 on a burlap curtain from the Sack-Shack to cover the door opening, a horse would bolt in the next 24 hours, sure as my handkerchief needs a washin’. Cecil said his son was so smart, he figured out in his head that it would be better to spend the money on the steel door.
Farmer John: Ya don’t say… Well, maybe I could get him to come and have a look at my barn…
Sure, it sounds silly. But how many organizations realize that investing in security safeguards is just like putting a door on a barn. It’s not so much trying to figure out how much money you will save if you put on a door. You know if you don’t put on a door, eventually, you’re going to have to buy a new horse. So, why not get the door and close it as soon as you put a horse inside?
Between insider threats, hackers, competitors, natural disasters and accidents, every asset becomes threatened at some point. But instead of trying to justify security by using “Return on Investment” (or worse, investing in it after the first incident has occurred – what I call “Pre-burn on Investment” because you’ve probably just paid for the safeguard twice), you should try to be more pro-active.
Ideally, you should have a standard, (the equivalent of the “no-brainer barn door”) appropriate to the type of organization you have. Many times you don’t need anything more fancy that that. Just recognize that each safeguard has weaknesses that may need compensating measures, and it has to be used properly.
Scott on 16 Feb 2008 at 6:44 am #
I should have also mentioned that many organizations do use Baseline Security Standards of some kind, as a way of maintaining consistent treatment of common security issues. Most governments have baseline standards (Government Security Policy in Canada, ISO 27000 series as an emerging global standard, etc.)
Organizations will often take one of these standards and tailor them for their own use. You may still need to do some form of economic analysis to see if the “expected losses” prevented by a safeguard are worth the cost of implementing it. But this is where a Threat and Risk Assessment can be used to identify appropriate safeguards that are recommended based on the risks to the organization beyond what baseline security standards would protect against.
Barn Door Simple? Not Exactly… | RiskAnalys.is on 21 Feb 2008 at 1:49 pm #
[…] Scott Wright of Scott Wright’s Security Views Blog wrote recently in his post “A Barn Door Has No ROI”: But how many organizations realize that investing in security safeguards is just like putting a door on a barn. It’s not so much trying to figure out how much money you will save if you put on a door. You know if you don’t put on a door, eventually, you’re going to have to buy a new horse. […]
The Security Catalyst » Carnival of the Security Catalyst Community for Tuesday, February 26, 2008 on 26 Feb 2008 at 7:46 am #
[…] I thought Scott penned a good look at ROI in A Barn Door Has No ROI. I often discourage people from bothering with ROI; I don’t find it to be a highly effective measure to communicate need. Instead, I generally suggest people work to reduce costs and communicate benefits in simple and common language (no jargon). Scott lays out a simple and easy to understand scenario that will help in the future. […]