Making the Case for Security Investment
Annual security risk assessments and meaningful metrics are among the tools infosec pros can use when asking senior decision-makers to increase budgets.
By Jason Riddle, LBMC Managed Security Services
Every organization gives lip service to data security. But too often, it’s just that: lip service. When it’s time to make the decisions about budget allocations, security can be one of the first functions to suffer. Many organizations reason that as long as they’re meeting the minimum standards of any industry rules or regulations to which they’re subject, they’re fine.
Unfortunately, that’s a woefully incorrect assumption, and it can make for a dangerously insufficient security strategy. It fails to account for an organization’s unique security risks, strengths and challenges, while relying on rules and regulations that may be slow to adapt to transformations in the fast-moving security landscape. This path of least investment in security has helped create a data security environment in which organizations are regularly experiencing costly and entirely preventable breaches.
Clearly, another approach is needed -- and it often falls to security advocates within an organization to make the case for change. So how can you persuade your organization to implement better security if you know it’s not up to snuff, and upper management is hesitant to address the problem?
Take Your Case to the Top
It used to be that appeals for security resources would be made to figures like the CIO or vice president of IT. More and more, however, to achieve meaningful change you must speak directly to top-level executives, helping the CFO and CEO understand the importance of sufficient investment in security.
If you can make the need clear to your organization’s top decision-makers, you will be more effective at getting the resources you need, whether that means people, financial support or tools. While it’s common to spend a great deal of time thinking and talking about the latest security technology, the missing puzzle piece for many organizations is people. Experienced and informed professionals can implement fundamental best practices that will often go further than the shiniest new technology.
In order to acquire these resources more effectively, you’ll need to open a dialogue – preferably as soon as possible, but at least before budget dollars are allocated.
So how can you open that dialogue?
Build a Business Case for Security Investment
Building a business case for implementing important security tools and services often starts with demonstrating both the range and reality of costly consequences for poor data security.
As breaches and other security incidents become more and more common, the body of data available to help make this point just grows larger and richer. Recently, we’ve seen Sony Pictures Entertainment suffer a staggering loss of private employee data, business secrets and major intellectual property such as unreleased theatrical films.
Breaches in the health care industry are so common that the Office for Civil Rights maintains a "wall of shame" identifying health care organizations that have experienced large breaches of personal data. Increasingly, these businesses are subject to major fines. And fines aren’t limited to the health care field – retailers and other organizations that lose consumer data can be subject to serious penalties as well.
Clearly, the consequences of a breach are many and various, including violation of government regulations, loss of business secrets, loss of consumer data, loss of public trust and serious financial repercussions.
Risk Assessments and Meaningful Metrics
While more senior decision-makers are recognizing the importance of security, to many the threats can seem distant or abstract. "Those things will never happen to us," they might say.
While you don’t want to be the voice always warning that the sky is falling, you do need to continuously affirm the necessity of robust security. Annual risk assessments can help with this, identifying both the specific threats your organization faces as well as the impacts an attack might have for your business.
Another useful strategy is to communicate meaningful metrics to your top decision-makers on a monthly basis. The number of security events in a given span of time count as one useful metric; these are the irregularities identified by your security team that require follow-up and investigation. Often this number is much, much higher than senior executives realize.
By using these strategies, you will hopefully give yourself the persuasive power you need to get your top decision-makers on board with investment. Ultimately, your efforts should result in a safer and more sound business.
Jason Riddle is practice leader at LBMC Managed Security Services where he helps defend his clients’ networks. He has over 15 years of experience working both as a consultant, advising commercial and government clients, and as a corporate information security officer for a financial services organization. His core areas of expertise are technology infrastructure, security and compliance, electronic payments, and developing processes to defend networks and systems against today’s advanced threats.
By Jeff Goldman
March 13, 2015
And 64 percent of enterprise respondents said they expect that pressure to grow in the coming year.