IT Security – A Cost Center?
As a security professional, you should have come to grips with the fact that most often IT security is viewed as a cost center. This can make for difficult process to get executive buy-in, budget monies, and user acceptance of security processes and policies that are put in place.It is unreasonable to expect executives to learn security as their focus is running the business of the company which; unless your company happens to be a security company, is what pays the bills and keeps the IT and security team employed. It is much more reasonable and ultimately the responsibility of the head security people to understand how the business runs, what are the business drivers, and how security can make the business safer and more effective and justify the cost to do so.
Uphill Battle?
Sounds like a large task? Many senior business people see security professionals as ‘No’ people. If you can demonstrate that your security group can enable business to run as well or better than before your success rate for security initiatives will increase. The better you ‘sell security’ to the executive team, the better able your team will be able to protect the business.A common approach is Fear, Uncertainty, and Doubt (FUD). Not only do I think that this is a poor approach to security that would have all of us wearing tinfoil hats but it also is a great lead in for one of the toughest (and appropriate) questions asked by executives. What exactly are the risks, how much will these risks cost, and what are the chances of these risks affecting us?
Solving the Problem
How do you approach answering this question? It most likely will involve some research on your part to determine current statistics that can emphasize the risk such as type of corporate controlled assets, security breaches (attempted and successful), cost of downtime, cost of preventative measures, cost of recovery, cost of brand damage, and any other relevant metric to make your case. Once you have these statistics and assuming you understand the threat landscape, you will be prepared to calculate risk. There are all kinds of equations that will help you determine these risks (Annual loss Expectancy – ALE and others) to a reasonable level and not sound like ‘Chicken Little’ or as unclear as Enron’s accounting principles.Translate Security Risks to Business Issues
Once you can quantify these metrics, the key is to translate the security risks into business issues. This is a common stumbling point for security professionals. It is sometimes easy to talk about risk mitigation from a security perspective than it is to talk about business enablement from a business perspective. Business executives are less inclined to be concerned with MTBF, MTTR, which are core tenets of availability than they are Business Continuity. Keeping the business running in times of crisis will be top of mind for an executive and as such these metrics should be presented in a manner that conveys the business risk. As an example, here are some possible translations:- MTBF, MTTR, availability = Business Continuity Backups, offsite storage, encrypted Tape content = Disaster Recovery
- IDS and Firewall = Prevent/monitor potential loss of Customer/Business data = Privacy Violations and Fines
- Load balancers, IPS = Ensure Ecommerce site is always on and not modified = ability to process orders and not loose customer credit card information
- Cost of new tool – $$ of potential breaches prevented = cost savings for the company
In Closing
In many cases the funding for your security initiatives will be directly tied to business objectives. The better you are at aligning security with business and providing reasonable security measures, the more likely you are to get approval for your initiatives. As you prepare these business case for security, remember one key thing:Security exists because business exists and not vice versa.
