"Every improvement in your security controls and processes in any area into your organization have a cost, but in this case you have to try to minimize this cost which depends on each security project success. Also, you know that security involves people, processes and technologies so you have to aim your efforts at all. For instance, a project to harden network security controls involves the three elements, a project to harden security control into a datacenter involves the three elements, also a project to people security awareness. Therefore, as you see higher ROI is at mid and long time, only critical security improvements to reduce a critical exposure in a process or technology has a high ROI in short time, for instance, add a control or fix an application which allows frudulent transactions.
However, you can take a look in some references:
- CISSP book
- SSE CMM from Carnegie Mellon"
Well, you can add some standards as references such as ISO 27001, Cobit, SOX, HIPAA, and so on, but the main thing is about project success.
- Ricardo Seguel P.