The most perplexing of the lessons I learned was that large projects were selected based on projected return on investment (ROI), and yet no one calculated actual ROI after the project was implemented.
There was no accountability to the projections whatsoever… which could be a pro or a con depending on your role.
In talking with colleagues throughout my career, it appears the lack of calculating actuals is normal. If no one is asking whether the ROI was realized, why take the time to do it?
In the cybersecurity industry though, it’s a little too risky to take such metrics for granted. Let's look at two scenarios...
Two mitigation projects to improve the company’s risk posture are proposed and approved. The projected return, or reduction in loss exposure, is presented as follows:
Mitigation Project #1: Segment the network to protect business units’ servers from attack when one business unit is compromised.
Mitigation Project #2: Replace malware protection software on all endpoints to decrease the number of malware attempts that successfully infect PCs.
The projects are successfully implemented.
After three months, you have enough data to re-run the same scenarios with actual experience. In the network segmentation case, how many attacks in one business unit were successfully isolated to that business unit? Your InfoSec engineers should have this data.
In the malware software case, how many PCs have been reimaged due to successful malware infections in the past three months? The people responsible for Helpdesk and/or Incident Response will have this information.
After the analyses are completed with actual data, the scenarios may be updated as follows:
Mitigation Project #1: Segment the network to protect business units’ servers from attack when one business unit is compromised
Results
Response
Mitigation Project #2: Replace malware protection software on all endpoints to decrease the number of malware attempts that successfully infect PCs.
Results
Response
It would be nice to think that the mitigated risk drops off of the top list of concerns since “we just took care of that one.” And maybe you have.
But perhaps it’s worth a check by assessing residual loss exposure. And then perhaps it’s worth a celebration.
With the RiskLens platform, you can run before-and-after scenarios for your IT projects to make solid calculations on ROI that you can show to your organization with confidence. Contact us to learn more.