Our goal is to be able to compare any action you want to take within a business on a consistent basis. To do that we need to do a cost/benefit analysis, but leverage the TRM values of time, risk, and money to create that consistency.
Steps 1+2
To do a cost benefit, we need to determine who stands to gain and who stands to lose. In doing so, at the same time, we also identify the value created or lost.
Step 3
Assign quantifiable numbers to each value (both created and lost). Be consistent in the measurement used per value (e.g., all time values in hours/year, all money values in USD/month, all risk values in "risk impact").
Note: T-Shirt sizing can work too (but the more specific, the better a comparison).
Note: T-Shirt sizing can work too (but the more specific, the better a comparison).
Step 4
Ideally, leadership has dictated direction on which part of TRM is the current priority. Or given directions on how to prioritize each. Use the business needs in mind to decide what to prioritize.
In 2023, my employer prioritized the bottom line. My direction to my department was:
- Any critical/high severity security risks must be resolved immediately
- Planning should focus on savings in money
- Time should only be considered if the value created was substantial and the cost low.
- Any critical/high severity security risks must be resolved immediately
- Planning should focus on savings in money
- Time should only be considered if the value created was substantial and the cost low.
Later in 2023, with so much success in cost reduction and growing concern with ransomware, that direction changed slightly. The first priority now included "medium". A simple communication that instantly changed how teams operated.
How comfortable are you to do this on your own? What questions did I not answer? I would LOVE to work through this with your specifics, please contact me.