Back when I was in a mentorship program and learning how the upper echelons of my company worked, I learned about the Information Technology budgeting process. It was a hoot.
The most perplexing of the lessons I learned was that large projects were selected based on projected return on investment (ROI), and yet no one calculated actual ROI after the project was implemented.
There was no accountability to the projections whatsoever… which could be a pro or a con depending on your role.
In talking with colleagues throughout my career, it appears the lack of calculating actuals is normal. If no one is asking whether the ROI was realized, why take the time to do it?
In the cybersecurity industry though, it’s a little too risky to take such metrics for granted. Let's look at two scenarios...
The Scenarios
Two mitigation projects to improve the company’s risk posture are proposed and approved. The projected return, or reduction in loss exposure, is presented as follows:
Mitigation Project #1: Segment the network to protect business units’ servers from attack when one business unit is compromised.
- Cost to implement project: $2.5m
- Projected reduction in loss exposure: $10m
Mitigation Project #2: Replace malware protection software on all endpoints to decrease the number of malware attempts that successfully infect PCs.
- Cost to implement project: $1.5m
- Projected reduction in loss exposure: $8m
The projects are successfully implemented.
Calculate Actuals
After three months, you have enough data to re-run the same scenarios with actual experience. In the network segmentation case, how many attacks in one business unit were successfully isolated to that business unit? Your InfoSec engineers should have this data.
In the malware software case, how many PCs have been reimaged due to successful malware infections in the past three months? The people responsible for Helpdesk and/or Incident Response will have this information.
After the analyses are completed with actual data, the scenarios may be updated as follows:
Mitigation Project #1: Segment the network to protect business units’ servers from attack when one business unit is compromised
Results
- Cost to implement project: $2.5m
- Projected reduction in loss exposure: $10m
- Actual reduction in loss exposure: $14m
Response
- Kudos from the boss
- A feature article in the company newsletter
- Perhaps a little bonus?
Mitigation Project #2: Replace malware protection software on all endpoints to decrease the number of malware attempts that successfully infect PCs.
Results
- Cost to implement project: $1.5m
- Projected reduction in loss exposure: $8m
- Actual reduction in loss exposure: $2m
Response
- Analysis work to determine erroneous assumptions
- The risk drops in priority, but by less than anticipated
- The risk analysis team learns and improves
It would be nice to think that the mitigated risk drops off of the top list of concerns since “we just took care of that one.” And maybe you have.
But perhaps it’s worth a check by assessing residual loss exposure. And then perhaps it’s worth a celebration.
With the RiskLens platform, you can run before-and-after scenarios for your IT projects to make solid calculations on ROI that you can show to your organization with confidence. Contact us to learn more.