Cost savings is one of the most obvious measures of ROI, especially when the CIO or head of IT is also responsible for security. If a project enables you to reduce storage space, consolidate licenses, or reduce time and effort through automation, you can calculate the returns with reasonable certainty.
The caveat here is to understand this should never be the only reason for the investment. The main goal of IT security is to manage risk, and you’re doing yourself a disservice with any project that does not start there. However, cost savings works great as an additional reason to invest in something that reduces a risk the company cares about.
Compliance can be an effective way to start an ROI conversation and get attention in a less mature organization where the executive team is less aware of the real risks. However, it is potentially thin ice: You should never give in to a false sense of security based on ticking all the boxes of any compliance checklist.
Another pitfall you want to avoid is creating the perception that IT security team is a “necessary evil” that executives will tolerate and even fund, but would happily get rid of if they could.
I am definitely not arguing you should not bring up compliance in a budgeting conversation. On the contrary, you should be aware of the current and anticipated regulatory requirements for your industry and jurisdiction. However, similar to operational cost reduction, I think it would be a mistake to over-rely on compliance as the primary way to justify a security investment
More Info: a+ certification jobs
No comments:
Post a Comment