In a previous post we shared a perspective on analyzing risks through a business lens. There is definitely effort involved but we believe there is a real ROI associated with using IOR Insight in your operational risk management activities.
Critical Risks Exposed
In a recent experience with a PCI Level 1 merchant customer, we offered a low-risk, brief pilot of the IOR Insight solution. Their assumption going into the pilot was that they had a comprehensive understanding of their environment and that they would not have any surprises in our findings. Despite that, the results of the pilot exposed 3 critical risks to their cardholder data that were as of yet unknown. Once known, the customer was able to leverage our analytic tools to further understand the business reasons for the risks and develop a plan to either resolve or mitigate those risks with appropriate controls.
Although their risk and compliance program had a formal methodology and dedicated staff, the execution of the program and the identification of key data risk insights were constrained by the limitations of the tools and technologies available to them and therefore critical risks simply remained undiscovered.
Normally, manually updated process narratives and diagrams must be analyzed against the constantly changing security standards and corporate policies in order to determine data breach risk. Though this process is repeated for each of the business processes in question, the resulting summary of risk is a just a one-dimensional static report. Just getting to this point requires a significant level of effort and generally creates a lot more work for analysts that want to dig deeper and find the most important insights.
IOR Insight is designed specifically for the mapping of dataflows, and analyzing data handling and data breach risks and our managed service makes it possible to minimize customer involvement over time. Throughout the pilot, for example, the effort ratio of the IOR team and the customer’s security analyst was approximately 5 to 1. In three weeks, we modeled four cardholder data flows, and developed PCI audit-ready dataflows that were used as evidence for PCI compliance, and to facilitate PCI scoping.
As the customer had limited availability, they were unable to maintain direct involvement, but participated in key workshops and introductory discussions facilitated by our team.
For additional value, we also reviewed their security policies and data handling standards and mapped them into the solution. By leveraging our policy configuration methodology and the IOR solution, we identified two missing controls/gaps in their standards and worked with them to strengthen their standards for data handling. After we completed the standalone assessment, the customer had a clear understanding of the insights revealed by the IOR solution, and the data risks we help expose and manage.
ROI From Many Perspectives
As part of their business case, they also wanted to know the ROI of implementing our solution as part of their operational risk management activities.
To determine the annual ROI of leveraging IOR as an operational component including our managed service for maintaining the solution. We looked at the effort required to perform risk management activities without the use of IOR; we looked at key activities such as managing the data flow lifecycle on a regular basis; and assigning human analysts to dig through and study related data flow documentation, associated asset inventories, data inventories, vulnerabilities, control assessments and other pertinent information; and produce reports of various perspectives to facilitate meaningful analysis of problem areas.
This was matched with the standard pricing of our solution and the results were well above 100% ROI per year in operational costs to achieve a more accurate and meaningful result with IOR Insight. We arrived at that number by looking at three human activities normally involved in producing the same result.
One key activity that takes effort is the capture and maintenance of data flows within the business processes. Companies have been investing significant amounts of money with outside experts to conduct this activity. When finished, a stack of static documents is what is left behind. In looking at the internal and external cost of these activities, we’ve estimated about a 75% savings leveraging the IOR solution and managed service as compared to using standard approaches. So today a company might spend $4 to get the same result that IOR can provide for $1.
Another area we observed is the act of performing assessments and understanding which problems exist. Normally, a team of internal or external analysts will analyze risk by looking through the data flows, conducting assessments against a standard like NIST 800, and pulling all of that disparate but related information into reports using a variety of office productivity tools. In this case we used the assumptions that control assessments would still be a manual process to be performed on a regular basis. But as those are conducted and results maintained in IOR Insight, the other usually manual activities are nearly automatic and results available through quick and simply reporting capabilities. We estimated a roughly 50% savings of man hours to produce comprehensive risk analysis and meaningful reports.
The final area that we analyzed was the linking of the risk analysis to the business side of the company. Going back to one of our key strengths, our platform is inherently designed to facilitate the association of problem areas to the business areas that create and/or are impacted by those problems. Most organizations we find don’t really have the capacity to do this type of analysis. These insights are universally accepted as highly valuable, but cost prohibitive and difficult to achieve. We analyzed the approximate amount of time it would take to produce reports that framed the risk analysis in the context of the business processes and impact areas in a similar fashion as what IOR Insight performs automatically. Even when we left room for the human factor in tweaking/refining reports with filtering capabilities, we identified a roughly ~90% savings in effort when using IOR to achieve the same or similar result.
IOR equals ROI
These are significant savings while expanding the possibilities of managing security risk and applying results into the feedback loop that we ultimately want to have in place as we work to optimize our security for our businesses. As anyone who has calculated ROI knows, the actual number depends upon the costs associated with what you are replacing and the cost of the replacement. While results would vary in every case, in this customer’s particular case given their pricing and considering each of the three analysis areas described above, we estimated a 117% annual return using the formula of (total cost today – total cost tomorrow)/total cost tomorrow.
For an understaffed or overwhelmed team, IOR presents a rare opportunity to extend the possibilities of what your existing team can accomplish and what they can provide in the way of proactive risk management of your data and overall value to the organization as a whole.
If you are curious about how IOR can help your team, please contact us and we'll help you understand more as you look for ways to improve your visibility into risks and what matters most to your organization.