Making the Business Case for Information Security

Oct. 27, 2008
You must master the art of selling security if you really want to prove ROI

James Champy once said, “Many executives are insulated from reality and consequently don’t know what the hell is going on.” I can’t think of a better real-world example of this than management’s relationship with information security. It’s a problem that affects practically every business, every non-profit and every government agency. And it’s also one of the greatest barriers to success we have in our jobs as security professionals.
This problem will be a thing of the past in a few decades, but right now, we have a lot of old-school managers faced with new world technology-based realities — and they often don’t mix well.
But who’s really at fault here? Do we blame management for burying their heads in the sand, claiming that there’s nothing on the network of any value that the bad guys would want? Or, do we take a good look at ourselves and consider that perhaps we’re part of the problem? I think the true answer is a lot of both.
Everyone — management, IT, physical security, you name it — has their own opinions and beliefs about information security. Some see it as a hindrance, others as a side-effect of big government regulations, and yet others as an opportunity for job security. Likewise, everyone has their own perceived risks. What seems high-priority to a network administrator may be off the radar of the same organization’s operations manager. Opinions and beliefs aside, information security is a business issue that deserves to be treated like any other serious function — but how do you get that message across to those who make the final decisions?

Change Your Focus
When it comes to proving the business case for information security, we can calculate return on investment (ROI) and risk numbers all day long. The reality is that it’s not that simple. There’s much more to the story that just handing over a spreadsheet to management and all things security are magically supported with no questions asked. I’m not saying ROI numbers and quantifiable risk aren’t important. The thing is, we are IT and security professionals — not finance experts and mathematicians (at least I’m not). It’s unreasonable to assume that any given person working in this capacity has the knowledge, tools or even the time to spend trying to calculate these numbers that may or may not be accurate or of any benefit after all. Finding someone who claims they can realistically calculate information security ROI and risk for you is nearly impossible.
Think about it, the essence of ROI is the value received divided by the cost over a given time period. How do you quantify “value received” when it comes to information security? Is it saving money, making money or not losing money? Complicating matters, just look at any financial resource and you will see that ROI calculations can be modified to suit the particular situation. Everyone defines and interprets ROI differently.
Risk calculations are the same way. Typical security certification study materials and information security theory books will tell you that for any given risk, there’s the loss expectancy and annual rate of occurrence. How does this translate into the real world, where we’ve got all of these complex information systems and distinct sets of problems associated with each area? Furthermore, most of us have no clue as to when the next attack is going to hit — we’re just hoping what we have in place now is going to be sufficient to keep it from occurring. As with ROI, calculating risk can be an exercise in futility.
Interestingly, most ROI and risk questioning tends to stop when a security breach occurs. So, what do you do to prove the value of information security? It’s found in your ability to “sell” security. This isn’t a quick-fix solution, but it is a solution nonetheless. Once you master the art of selling security, it will work better than anything else to get information security initiatives passed.

Establish What There is to Lose
A lot of managers don’t understand the impact an insecure information infrastructure can have on the business. Many believe that IT is simply there to setup new users and facilitate Internet access and Information Security to manage the firewall and keep the anti-virus software running. They fail to consider all the other systems and business processes for which IT and Information Security are responsible. If we’re going to get past these notions and sell security in a more positive light, we’ve got to determine where it hurts the most.
The cornerstones of a secure IT infrastructure are confidentiality, integrity and availability. That means making sure the business’ information systems and electronic assets are only accessible by those with a need, not tampered with, and are there when they’re needed. In most businesses, you can tie every single business process — every customer contact, every manufacturing process or service delivery, and every dollar that’s brought in — back to a very sensitive and fragile computer environment that can’t afford to be disturbed.
As a person with network and security responsibilities, you’ve got to know what information is stored where, who has access to it, what applications are allowed in and out of the network, and so on. One of the best ways to build your case is to find out where you’re vulnerable — this may come in the form of a self-audit based on a widely-accepted standard, such as the ISO/IEC 27002:2005; or it may require you hiring the services of an outside information security expert with a fresh perspective to find where you’re vulnerable and where the business is at risk. You can’t adequately protect what you don’t understand or know about, so make this your first step.
Then, you need to find and communicate the security holes to management. Point out that once electronic information is compromised, the cat is out of the bag — it’s either in someone else’s hands and impossible to recover, or it’s gone forever. When there’s something to lose, as likely is the case in your business, managers will take more risks and be willing to support you in your efforts.

Get and Keep Them on Your Side
One of the greatest skills to have as a business professional — regardless of your specific job — is the ability to sell your ideas to others. I’m not talking about learning cheesy sales techniques used by car salesmen, but rather, working on yourself and your style in order to influence and persuade management as to what are the business’ information security needs.
We’ve all experienced pushback when trying to sell others on our ideas — the general question is ”what’s in it for me?”
Management will want to know what security is going to do for them, or more specifically, for the business. It’s your job to lay out the answers clearly and plainly without being too pushy. Get them involved with good information at the right time and let them ask the questions that lead to solutions.
We all know that knowledge is power. This knowledge in the context of proving the business case for information security is “education.” Educating management on the fact that information security is better than the alternative is your top goal. Don’t propose new information security initiatives and demand immediate responses — let your ideas sink in gradually over time. It’s been shown that people need about 72 hours to think through a new idea or suggestion.
By all means, don’t grasp at straws based on what you’re reading in the media and use fear, uncertainty and doubt (F.U.D.) to build your case. Rational fears proportional to the threat are OK, but irrational fears (i.e. F.U.D.) blow it out of proportion and people will see right through it. It’s okay to mention some key threats and vulnerabilities and what their outcomes to the business will be such as:

• Sensitive information being scattered about the network with no way to know who has access or prove who walks off with it;
• The e-commerce Web site that’s never been tested for security flaws;
• Unsecured wireless networks setup by employees for the sake of convenience; and/or
• Hundreds of laptop computers in use without any of them having drive encryption.

Get Involved
Another key to selling security is to get involved with the business — not every few months or at the annual retreats, do it at every chance. This means attending business meetings that involve information security, calling your own security meetings, posting company blog entries and even running your own training sessions to get visibility as far and wide as possible. Make yourself visible while you learn the inner workings of the business, the key players and how things operate. This will allow you to adjust your approach based on culture and politics.
Strive to make information security a high-value yet low-risk proposition. Show why it’s needed, its benefits and how it will support the business — and don’t make the mistake of letting compliance be your main goal. Compliance should merely be a side benefit of a well-run information security program.
There are other ways to show how information security can facilitate and support the business without being just another overhead item. Talk about how security can help the business add value to existing products and services or increase revenues by being able to offer new ones altogether. Show how systems like network access control, patch management and centrally-managed endpoint security can reduce security overhead, facilitate change management and automate policy enforcement. Or, if software or network systems are offered by your business, talk about how security can be a competitive differentiator. In today’s market, you better believe it can be!

Information Sharing
Share information with key managers on computer security incidents — especially ones that are taking place in your industry. Clip magazine articles, forward them links to online columns and blogs, or grab the latest interesting breach stats from the Chronology of Data Breaches report at www.privacyrights.org.
Finally, keep management in the know and give consistent reports and feedback to stay visible. Demonstrate how their information security investments are working. Create ongoing reports regarding the state of information security. Give them examples of how the network and applications were secured from known attacks. Show them intrusion prevention system reports showing how the latest well-known malware infection was stopped at the network perimeter. Present to them your latest vulnerability assessment results showing that no critical or high priority problems were found. Proudly present your latest budget showing that an additional full-time employee is no longer needed because of the automation you’ve built-in using the right security technologies.
Again, you don’t need hard numbers. Just real-world examples of how security is helping. By doing these things you quantify the fact that information security is better than the alternative.
Proving the business case for information security is far more about you, your communication abilities and your relationships than it is about proving some pie-in-the-sky numbers. Being competent, credible and believable are key. You can establish these things with a positive attitude toward the business, showing interest in what management is up against, and, perhaps most importantly, speaking on their level in terms they understand. By focusing on these areas, you will not only prove yourself to be a person of value but you will also build trust, which is the backbone of selling security.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. Mr. Beaver has authored/co-authored seven books on information security including “Hacking For Dummies” and “Hacking Wireless Networks For Dummies” (Wiley). He’s also the creator of the Security on Wheels information security audio books and blog (www.securityonWheels.com) providing security learning for IT professionals on the go. He can be reached at [email protected].