Shot Down in Flames! - Page 2
In my example, if you were to spend more than $25,000 for risk mitigation or avoidance by purchasing some security product, insurance or some legal service, you are spending too much. You are most certainly spending too much if the product or service you deploy does not eliminate the risk. If spending $25,000 does not set your ARO to zero, but say, cuts the risk down by 75% instead, you should reduce that $25,000 mitigation expense by 25% to bring everything back into a cost-effective risk avoidance measure.
The key to your success will begin with solid statistics and factual data. It is not difficult to find fact and cost figures for legal actions. There are effectively decades upon decades of legal history to draw on whereas digital information security is much more difficult simply because it has not.
One challenge with information security is that the threats change rapidly, more so than the legal landscape does. With the sheer number of high-profile breaches reported on recently, our exposure estimates will become more accurate. Still, it is nearly impossible to forecast an exposure frequency right? A facet to calculate far more esoteric are that of reputational loss, brand credibility loss, and customer loss. When you are dealing rare and exotic risk events, it probably will come down to your best guess. Your opinion may be completely different than the CFO’s opinion and we all know who controls the budget. I would certainly enlist the help of your security vendors to provide these numbers. They have a vested interest in your success and their data may be compelling enough to sway the CFO. Keep in mind though that the game is rigged in favor of the vendor’s products and getting several independent examples might provide a reasonable snapshot that is useful to your ROI case.
Proving business value either in profits gained or in losses reduced makes the business machine run and in the legal or security department’s case, knowledge is power and it is the only way to articulate the return on investment the CFO should expect. Don’t get shot down by being ill prepared. Your career, credibility and company are all on the line.