There are several possibilities to sell security projects internally but, without knowing the problems, any more targeted suggestions may be risky or not applied to the reality of your business. Therefore, as a hint, your argument can be drawn based on two points, productivity and loss or leakage of information.
It is very important that, regardless of the basis of argumentation, you get tangible, using numbers to show how much the lack of productivity affects the business, as well as the financial and image losses a leak of information could cause the company.
Once you can turn these losses into numbers, having the value of the project, it is easier to calculate the time of return on investment and to take this information to the relevant sectors or people with a strong and almost infallible argument.
The first step is to check how much, on average, an employee loses with the misuse of the internet daily. If you do not have the ability to measure this time, make an estimate based on three scenarios: pessimistic, likely, and optimistic.
For each of the scenarios bid an estimated number of hours that each (average) collaborator spends on non-work related activities on a daily basis. Do not be conservative, in case you do not have the tool for this; you may actually be scared by the result.
Another very important item to be accounted for is the time of resumption of activities, after dispersion generated by the internet. This is why there are studies that prove the brain takes more than 10 minutes to return to the point of a concentrated activity, when interrupted. In this sense, small dispersions throughout the day can generate long periods of unproductivity.
So take into account that, in a pessimistic scenario, the average number of collaborators loses 4 hours a day with non-work related activities. For the probable scenario: 2 hours; and for the optimistic one: 1 hour. Let us consider here a company with 200 employees who regularly use the computer for their daily activities, with an average value / hour of $ 15.00.
For the pessimistic scenario, there is a loss of $ 240,000 monthly, while for the probable scenario it is $ 120,000 and for the optimistic $ 60,000. Let us base the calculation, considering 20 days worked per month.
Value (number of employees) * (unproductive hours) * (working days in the month) * (average hour value)
Of course, there are several other variables that must be considered in order to build a line of argument and consistent budget feasibility, but the example is only an inspiration for how you can start working on numbers to approve your project.
In this case, considering an investment of $ 200,000 in security solutions, for each of the scenarios we managed to reduce 50% of wasted time, we have ROI time in 1.6 months (pessimistic), 3.3 months (probable) and 6.66 months (optimistic). This means that the greater the damage to the unproductivity, the faster the return on investment.
We are considering in this scenario a single investment of $ 200 thousand for the project; however, for the second year there may be renewal of support subscriptions and updates, which are much lower than the value of the project, so the viability remains very interesting in view of the fast return.
There are some variables to be considered such as project payment and completion time, possible internal resistance to policy enforcement and other objections, which may represent a small variation in return times. However, regardless of the variations, the return is something very representative in these projects.
Another extremely interesting aspect of supporting the approval of security projects is improving the availability of the resource to the organization. As many businesses now depend on the internet, whether for their middle or end business, the unavailability of internet can lead to serious problems and direct harm to the company.
Read our article on the costs of unavailability of the internet and add to its defense the impacts generated by the lack of resource in the day-to-day of the organization.
What about you? How do you seek to justify and calculate the return on investment for security projects? Tell us your experiences and help us enrich this post.