So, you have decided to spend $250,000 on security measures. You have done the analysis and you believe the spending is well worth it. You already have the money and some happy salesperson is working on a proposal right now. You don't need risk management because you're close enough to the finish line that all that annoying stuff has been evaded successfully. Only it hasn't…
Assuming you are a conscientious security professional, you actually went through the process of risk assessment and completed it when you decided it was "worth it" to make the purchase. Informal, ad hoc, seat of the pants are all tried and true methods of success in this field.
In fact, you, as conscientious security professional, conducted an informal calculation of the consequences and the probability associated with some negative event that this $250k countermeasure is supposed to eliminate or reduce.
Now, I can't tell you exactly what consequence and probability values you implicitly decided on, but I can tell you that their product must be greater than $250,000. It could have been a 5% chance of losing $5 million or a 50% chance of losing $500,000. Perhaps it was a 1% chance of losing $25 million.
In order to get your money's worth (e.g. ROSI or
return on security investment) that $250,000 must be LESS than the
amount of reduced risk. If you assert otherwise, then it wasn't a good
decision. Let me say that another way – if you tell me I am wrong, then
you are making a poor decision for your organization.
You’re right from a theoretical point of view but this is not the way things work in the real world. Here, the project is frequently finished and deployed before somebody sticks their hand up and meekly asks if now would be a good time to talk about security. At which point, the budget for the year is fixed and the security director becomes about as welcome as a fart in a spacesuit at the next project meeting when he dare suggest spending two and a half grand on security yet alone two hundred and fifty!
@Stuart -
You are illustrating a common use case, I agree. Believe it or not, there are enterprises in industries with infrastructure security budgets that operate in the way I described.
Regards,
Pete