“Why would I approve this kind of investment if you cannot articulate some kind of cost reduction, an opportunity for business enablement, or return associated with more efficiently managing my existing risk exposure?”
How many times, as practitioners, have we had these conversations? Whether it is a discussion about the inherent risk of certain business practices, or the associated investment costs in people, process, and technology aimed at managing said risk, practitioners are consistently challenged with providing some measurable way to communicate the intrinsic value of those investments.
Our colleagues in business talk ROI, return on investment, frequently, as they have been long conditioned with the need to be able to demonstrate some kind of value or return on programs, investments, initiatives, and the like. Having an approach to clearly communicate “value” in the security and risk business is absolutely critical as well. It may often be overlooked, but the functions we run are businesses within the business. We ultimately provide services to our customers that enable our businesses to function within certain tolerances for established processes, while allowing them to transform and take more risk as they build new business models.
So what is the problem? Essentially, we are struggling with the challenge of not being able to communicate in the same language. For example, there are simple and established ways for a CEO to determine a “return on investment” for something like a new office building. Predictive measures of the value of real estate investments and the capacity increases from more efficient equipment or a new facility are relatively straightforward and are ingrained into the fabric of business.
In our business within the business, we really are only able to manage three things associated with our investments: the effectiveness of the investment in terms of managing or reducing risk, the total cost of ownership of a given investment, and the ability to advise on the transfer of said risk in some way (i.e. insurance, etc). The challenge most of us have enc