Security engineering and security RoI

IT Security has been practised as a dark art for too long. We should treat it as an engineering discipline and reset our expectations about how security systems should be designed and evaluated. All it would take is a fresh approach, the right metrics and a little competent analysis. This is how it might work.