Making the Business Case for Information Security

You must master the art of selling security if you really want to prove ROI

James Champy once said, “Many executives are insulated from reality and consequently don’t know what the hell is going on.” I can’t think of a better real-world example of this than management’s relationship with information security. It’s a problem that affects practically every business, every non-profit and every government agency. And it’s also one of the greatest barriers to success we have in our jobs as security professionals.
This problem will be a thing of the past in a few decades, but right now, we have a lot of old-school managers faced with new world technology-based realities — and they often don’t mix well.
But who’s really at fault here? Do we blame management for burying their heads in the sand, claiming that there’s nothing on the network of any value that the bad guys would want? Or, do we take a good look at ourselves and consider that perhaps we’re part of the problem? I think the true answer is a lot of both.
Everyone — management, IT, physical security, you name it — has their own opinions and beliefs about information security. Some see it as a hindrance, others as a side-effect of big government regulations, and yet others as an opportunity for job security. Likewise, everyone has their own perceived risks. What seems high-priority to a network administrator may be off the radar of the same organization’s operations manager. Opinions and beliefs aside, information security is a business issue that deserves to be treated like any other serious function — but how do you get that message across to those who make the final decisions?

Change Your Focus
When it comes to proving the business case for information security, we can calculate return on investment (ROI) and risk numbers all day long. The reality is that it’s not that simple. There’s much more to the story that just handing over a spreadsheet to management and all things security are magically supported with no questions asked. I’m not saying ROI numbers and quantifiable risk aren’t important. The thing is, we are IT and security professionals — not finance experts and mathematicians (at least I’m not). It’s unreasonable to assume that any given person working in this capacity has the knowledge, tools or even the time to spend trying to calculate these numbers that may or may not be accurate or of any benefit after all. Finding someone who claims they can realistically calculate information security ROI and risk for you is nearly impossible.
Think about it, the essence of ROI is the value received divided by the cost over a given time period. How do you quantify “value received” when it comes to information security? Is it saving money, making money or not losing money? Complicating matters, just look at any financial resource and you will see that ROI calculations can be modified to suit the particular situation. Everyone defines and interprets ROI differently.
Risk calculations are the same way. Typical security certification study materials and information security theory books will tell you that for any given risk, there’s the loss expectancy and annual rate of occurrence. How does this translate into the real world, where we’ve got all of these complex information systems and distinct sets of problems associated with each area? Furthermore, most of us have no clue as to when the next attack is going to hit — we’re just hoping what we have in place now is going to be sufficient to keep it from occurring. As with ROI, calculating risk can be an exercise in futility.
Interestingly, most ROI and risk questioning tends to stop when a security breach occurs. So, what do you do to prove the value of information security? It’s found in your ability to “sell” security. This isn’t a quick-fix solution, but it is a solution nonetheless. Once you master the art of selling security, it will work better than anything else to get information security initiatives passed.

This content continues onto the next page...