Skip to main content

La vie en ROSI

As I wandered the barren wasteland that is LinkedIn, something absolutely not interesting caught my eye. A brand new acronym that I haven't seen before: ROSI. I was sure that I was witnessing a pivotal moment. A moment where the cybersecurity industry's stupidity teams up with desperation. What happens next won't surprise you.

A very fundamental shift has happened, and the used car salespeople business development managers of the world need to adapt and respond to this new threat: the well has run dry. And, as we all know, these things have lag and momentum, so the vibe shift happened a while ago, but the industry is responding just now. One thing to note here: when I say "the industry", I mean "companies trying to sell you shit you don't need."

You see, this racket was never sustainable, and, now that the world is all caught up, the people who make a living overstating, overpromising, overcharging and under delivering are getting a little antsy because their little con is no longer working as it once was. Enter ROSI.

In essence, the concept of commerce is simple: you make something people want, and you charge them money for it. This worked pretty well until some absolute fuck woke up one day and thought: "What if I can convince people to buy things they don't need?" We call that marketing. Then, some enterprising asshole thought: "What if I can make people's compensation dependent on how much they can sell other people shit they don't need?" This we call commissions. Then, some people with a lot of money thought: "What if we pay the person running this company in shares so they are incentivized to make number go up at all costs?" Yep. Shareholders.

On top of this solid foundation of bullshit we have "What if I can convince people that they need this thing I'm selling because the world is scary and full of elite hackers who are coming for you, specifically you, 24/7/365? What if we manage to paint this problem as so insanely complex, contrived, and convoluted that there's absolutely no way to tackle it without spending millions upon millions of dollars every year? And what if we make it virtually impossible to tell if you're getting your money's worth?" This miasma of nonsense is pretty much every cybersecurity company.

If we look at commerce and industry through the lens of capitalism for a minute, we can very quickly come to the conclusion that optimizing things in a way that a) minimizes your operational and capital expenses, and b) maximizes your income is a very good plan. We wouldn't want, for example, to spend a lot of money on things we don't need, right? Theoretically, yes. In practice, not so much.

See how smart I am? You should definitely hire me because I am orders of magnitude smarter than your CISO simply because I know that spending money on things that are not necessary is better than the opposite. A very low bar, but companies keep going for the bullshitters instead of the pragmatists, so that's on them.

That brings me to the subject at hand: ROSI. For the uninitiated, it means Return On Security Investment. Which is the most asinine thing I've seen in a while. And I've seen some Splunk invoices.

Here's the thing: we already have a term for that. It's return on investment. It's broad in scope because it doesn't matter what you're investing in, you just want to know if the investment is worth your while. We don't do Return On Coffee Investment. Or Return On Accounting Investment. Or even Return On Going To RSA To Do Blow With A Bunch Of Account Managers. We don't do that because it is fucking stupid. This industry does ROSI because, well, there's a need to distract people in charge of budgets with something, lest the folks who do the P&L calculations start asking too many questions.

The cybersecurity industry as it stands today only works if everyone else believes the fairy tale that this is some special, inscrutable domain. A domain so fucking critical to the very existence of the modern world that you're better off just leaving it to the experts. ROI doesn't even begin to explain how complicated this whole thing is, so we need another term for the same thing. It's complicated, you wouldn't understand.

This is the latest push against the inexorable collapse of this industry. It's the red giant phase of a dying star. This industry keeps telling everyone that the world is going to end if we don't throw ML Cloud Native Containers Big Data Puddle/Pond/Lake/Ocean AI at everything. This industry takes, and takes, and takes, and very rarely gives something back. So, ROIs don't work for us because there's nothing to return. ROSI, on the other hand, is just different, you know?

The industry needs to keep inventing nonsense because, if you look a little closer, you'll see that nothing makes sense. The overwhelming majority of security issues are ransomware and credential stuffing. We have established controls frameworks that address a lot of the issues we face. I repeat: the vast majority of security problems are solved problems. You're just bad at risk management, horrible at allocating resources, and probably have a cocaine habit that depends on people not seeing that you're a fucking fraud.

But, as stated, people are catching up. You can't fool all the people all the time. Every "major" incident is a signal to other companies that a cybersecurity failure is not the end of the world, and that reputational damage is not a concern to the vast majority of companies because the stakes are very low for the vast majority of businesses.

People are catching up, and one consequence is cybersecurity budgets drying up. The reaction to that is more FUD: more horror stories, new acronyms, new fictional threats, and, obviously, new solutions to problems that don't really exist. When the red giant turns into a brown dwarf, the business development managers will, in true locust fashion, move on to the next thing because they don't give a shit about any of this. Hopefully what remains is something better.