Making the Business Case for Information Security

You must master the art of selling security if you really want to prove ROI

Establish What There is to Lose
A lot of managers don’t understand the impact an insecure information infrastructure can have on the business. Many believe that IT is simply there to setup new users and facilitate Internet access and Information Security to manage the firewall and keep the anti-virus software running. They fail to consider all the other systems and business processes for which IT and Information Security are responsible. If we’re going to get past these notions and sell security in a more positive light, we’ve got to determine where it hurts the most.
The cornerstones of a secure IT infrastructure are confidentiality, integrity and availability. That means making sure the business’ information systems and electronic assets are only accessible by those with a need, not tampered with, and are there when they’re needed. In most businesses, you can tie every single business process — every customer contact, every manufacturing process or service delivery, and every dollar that’s brought in — back to a very sensitive and fragile computer environment that can’t afford to be disturbed.
As a person with network and security responsibilities, you’ve got to know what information is stored where, who has access to it, what applications are allowed in and out of the network, and so on. One of the best ways to build your case is to find out where you’re vulnerable — this may come in the form of a self-audit based on a widely-accepted standard, such as the ISO/IEC 27002:2005; or it may require you hiring the services of an outside information security expert with a fresh perspective to find where you’re vulnerable and where the business is at risk. You can’t adequately protect what you don’t understand or know about, so make this your first step.
Then, you need to find and communicate the security holes to management. Point out that once electronic information is compromised, the cat is out of the bag — it’s either in someone else’s hands and impossible to recover, or it’s gone forever. When there’s something to lose, as likely is the case in your business, managers will take more risks and be willing to support you in your efforts.

Get and Keep Them on Your Side
One of the greatest skills to have as a business professional — regardless of your specific job — is the ability to sell your ideas to others. I’m not talking about learning cheesy sales techniques used by car salesmen, but rather, working on yourself and your style in order to influence and persuade management as to what are the business’ information security needs.
We’ve all experienced pushback when trying to sell others on our ideas — the general question is ”what’s in it for me?”
Management will want to know what security is going to do for them, or more specifically, for the business. It’s your job to lay out the answers clearly and plainly without being too pushy. Get them involved with good information at the right time and let them ask the questions that lead to solutions.
We all know that knowledge is power. This knowledge in the context of proving the business case for information security is “education.” Educating management on the fact that information security is better than the alternative is your top goal. Don’t propose new information security initiatives and demand immediate responses — let your ideas sink in gradually over time. It’s been shown that people need about 72 hours to think through a new idea or suggestion.
By all means, don’t grasp at straws based on what you’re reading in the media and use fear, uncertainty and doubt (F.U.D.) to build your case. Rational fears proportional to the threat are OK, but irrational fears (i.e. F.U.D.) blow it out of proportion and people will see right through it. It’s okay to mention some key threats and vulnerabilities and what their outcomes to the business will be such as:

• Sensitive information being scattered about the network with no way to know who has access or prove who walks off with it;
• The e-commerce Web site that’s never been tested for security flaws;
• Unsecured wireless networks setup by employees for the sake of convenience; and/or
• Hundreds of laptop computers in use without any of them having drive encryption.

Get Involved
Another key to selling security is to get involved with the business — not every few months or at the annual retreats, do it at every chance. This means attending business meetings that involve information security, calling your own security meetings, posting company blog entries and even running your own training sessions to get visibility as far and wide as possible. Make yourself visible while you learn the inner workings of the business, the key players and how things operate. This will allow you to adjust your approach based on culture and politics.
Strive to make information security a high-value yet low-risk proposition. Show why it’s needed, its benefits and how it will support the business — and don’t make the mistake of letting compliance be your main goal. Compliance should merely be a side benefit of a well-run information security program.
There are other ways to show how information security can facilitate and support the business without being just another overhead item. Talk about how security can help the business add value to existing products and services or increase revenues by being able to offer new ones altogether. Show how systems like network access control, patch management and centrally-managed endpoint security can reduce security overhead, facilitate change management and automate policy enforcement. Or, if software or network systems are offered by your business, talk about how security can be a competitive differentiator. In today’s market, you better believe it can be!