Simon Says – Musings of a Technology CTO

Last week, as many of you may know, was the inaugural McAfee user conference, snappily titled “Focus 2008.” At Focus, I had the honor of participating on one of the panels alongside some of our valued customers.

The subject of the panel was “Is it possible to get ROI on data protection projects?” I’ll cut to the chase and let you know that the answer we and the audience arrived at was no, it’s not possible to predict or demonstrate ROI in advance of the project. BUT, it’s possible to give some indications of value, and certainly it’s possible to make some ROI estimations during and after implementation.

Some interesting points that were discussed:

1. Evaluate your risks – work out how data is leaking so you can protect the most important assets/leak points first

2. Though laptop theft is an obvious and public leak point, memory sticks are probably more significant, and much harder to track

3. You can make ROI calculations if you or a comparable company have had a breach and you can get access to the cost – even if it’s just in terms of the cost of notifying all those affected.

4. If data protection is “insurance,” the ROI is awful; until your “house burns down.”

5. Quantifying lost customer satisfaction, loss of reputation and customers migrating away from your company are challenging values to assign costs.

One interesting comment from the audience, from a member of an international defense department who I’d love to have been able to spend more time talking to, was that in his organization, if records of something like a future mission are lost/disclosed, then the mission is scrapped. There’s a direct cost equation. He shared with us that all the data in his organization goes through during a risk/value assessment, and protection is (meant to be) applied in accordance with this, though his frustration seemed to be simply not having enough manpower to apply protection.

An enlightened approach, I think you will all agree.

As a final gem today, my regular trawl through the news found this nugget on news.bbc.co.uk – ” A woman has been arrested in Japan after she allegedly killed her virtual husband in a popular video game.” Yes, an actual real person is in jail for assassinating her virtual husband in the game Maplestory. Yes, that’s right – she’s in “first life” prison for a “second life” crime, of which the penalty is up to $5000 or 5 years.

Why did she do it? Because she found herself suddenly divorced. Indeed, a heinous thing to happen to anyone.

Of course the actual truth of the matter is that she’s being prosecuted because she obtained her virtual-husband’s real life game credentials and used those illegally to cause his (virtual) demise, a crime under the computer use act, but I feel the headline is far more compelling.

Until next time – play nicely online!