The Return on Investment, aka ROI, is an essential financial measurement for any business venture and one that must be positive, or at least neutral, in order to demonstrate the viability of the proposition being examined. There are certain essential business functions however that does not provide a return on your investment; and two of those functions would be legal representation and security, both physical and digital.
They are not investments providing a return, like an MRI or commerce site. Security expenses and legal expenses, if utilized correctly, earn their keep in risk avoidance which does translate into tangible financial savings. They are both about avoiding losses associated with business risks, not about financial return.
The traditionally difficult part about getting funding for security and legal expenditures is collecting accurate quantifiable measurements to base our propositions on, fortunately, there is such a mechanism for accomplishing this and it is to leverage the mathematical power of the Annualized Loss Expectancy (ALE) (Source: Risky Thinking) which is the expected monetary loss that can be expected for an asset due to a risk over a one year period of time. An important feature of the ALE is that it can be used directly in a cost-benefit analysis.
To provide hopefully a brief explanation of how it is calculated, there are two factors that comprise the ALE. They are the Single Loss Expectancy (SLE), which is the percentage of the asset you are attempting to protect that would be lost in a single exposure, and the Annualized Rate of Occurrence (ARO), which is the frequency the loss event occurs in a year. Those two factors multiplied together give you’re the ALE (ALE = SLE * ARO).
For example, suppose than an asset is valued at $200,000 and the single cost of exposure is $50,000. Your SLE is now defined as $50,000 right? How many times in a year do we expect this exposure event to occur in a year? If we expect an exposure to occur once every year, then ARO is 100% whereas if we think there is a 50/50 shot, our ARO is now 50% right? For discussion purposes, let’s suggest we think there is a 50/50 chance an exposure might occur so our ARO is .5. With our SLE equaling $50,000, multiplied by our ARO of .5, the ALE is $25,000.
In my example, if you were to spend more than $25,000 for risk mitigation or avoidance by purchasing some security product, insurance or some legal service, you are spending too much. You are most certainly spending too much if the product or service you deploy does not eliminate the risk. If spending $25,000 does not set your ARO to zero, but say, cuts the risk down by 75% instead, you should reduce that $25,000 mitigation expense by 25% to bring everything back into a cost-effective risk avoidance measure.
The key to your success will begin with solid statistics and factual data. It is not difficult to find fact and cost figures for legal actions. There are effectively decades upon decades of legal history to draw on whereas digital information security is much more difficult simply because it has not.
One challenge with information security is that the threats change rapidly, more so than the legal landscape does. With the sheer number of high-profile breaches reported on recently, our exposure estimates will become more accurate. Still, it is nearly impossible to forecast an exposure frequency right? A facet to calculate far more esoteric are that of reputational loss, brand credibility loss, and customer loss. When you are dealing rare and exotic risk events, it probably will come down to your best guess. Your opinion may be completely different than the CFO’s opinion and we all know who controls the budget. I would certainly enlist the help of your security vendors to provide these numbers. They have a vested interest in your success and their data may be compelling enough to sway the CFO. Keep in mind though that the game is rigged in favor of the vendor’s products and getting several independent examples might provide a reasonable snapshot that is useful to your ROI case.
Proving business value either in profits gained or in losses reduced makes the business machine run and in the legal or security department’s case, knowledge is power and it is the only way to articulate the return on investment the CFO should expect. Don’t get shot down by being ill prepared. Your career, credibility and company are all on the line.
Article first published as Shot Down in Flames! on Technorati.
If you are interested in contacting us for more information about the content and services offered by Your Personal CXO, a Lazarus Alliance company or for media interview inquiries or aggregation requests, please use the following contact methods:
By phone: 1-762-822-4174
By email: firstname.lastname@example.org