ROI and quantitative analysis is useful, but prioritizing security projects and focusing on objectives is smart business. Quantitative methods may provide useful input, but they’re no substitute for careful reasoning about which security expenditures will help make your enterprise more successful overall. The company has a baseline of security spending that is nondiscretionary and necessary to satisfy the its regulatory and internal audit requirements. ROI and other quantitative analysis may help provide a common framework with other technology investments, but you should prioritize and justify security spending by having a solid discussion of your application objectives and their exposures. Because so much of today’s security budget is dedicated to mandatory items, only a fraction is left for discretionary projects. Risk-management philosophy pervades today’s companies, and it’s apparent on both the revenue- and cost-generating sides of the house.<\/p>\n","protected":false},"excerpt":{"rendered":"
Using a risk-management approach, many companies, for instance, accept a priori that all its activities have risks. The challenge then becomes spending your resources to protect the business from likely security threats. This adds a third dimension to the classic cost-benefit analysis.<\/p>\n
You can apply this approach to just about any kind of company. Begin this analysis by categorizing your potential security projects according to their business impact. Here are the categories, in order of importance:<\/p>\n
\u2022 Enablement: Your enterprise will earn the most return on its investment from security projects that serve as obvious enablers to lines of business.
\n\u2022 Protection of key assets
\n Opportunity: Opportunistic investments typically result in cost savings or process improvements.<\/p>\n
http:\/\/www.securitypipeline.com\/166400617<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-114","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":2601,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/114\/revisions\/2601"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}