Making the Business Case for Information Security

You must master the art of selling security if you really want to prove ROI


Information Sharing
Share information with key managers on computer security incidents — especially ones that are taking place in your industry. Clip magazine articles, forward them links to online columns and blogs, or grab the latest interesting breach stats from the Chronology of Data Breaches report at www.privacyrights.org.
Finally, keep management in the know and give consistent reports and feedback to stay visible. Demonstrate how their information security investments are working. Create ongoing reports regarding the state of information security. Give them examples of how the network and applications were secured from known attacks. Show them intrusion prevention system reports showing how the latest well-known malware infection was stopped at the network perimeter. Present to them your latest vulnerability assessment results showing that no critical or high priority problems were found. Proudly present your latest budget showing that an additional full-time employee is no longer needed because of the automation you’ve built-in using the right security technologies.
Again, you don’t need hard numbers. Just real-world examples of how security is helping. By doing these things you quantify the fact that information security is better than the alternative.
Proving the business case for information security is far more about you, your communication abilities and your relationships than it is about proving some pie-in-the-sky numbers. Being competent, credible and believable are key. You can establish these things with a positive attitude toward the business, showing interest in what management is up against, and, perhaps most importantly, speaking on their level in terms they understand. By focusing on these areas, you will not only prove yourself to be a person of value but you will also build trust, which is the backbone of selling security.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. Mr. Beaver has authored/co-authored seven books on information security including “Hacking For Dummies” and “Hacking Wireless Networks For Dummies” (Wiley). He’s also the creator of the Security on Wheels information security audio books and blog (www.securityonWheels.com) providing security learning for IT professionals on the go. He can be reached at kbeaver@principlelogic.com.