So, you go into your CFO's office with a perfectly prepared pitch showing the vulnerabilities in your network, the history of past intrusions, perhaps the results of a penetration test ... and management looks at you like you have three heads. You've heard it before: "We are secure enough." While it makes your blood boil to have facts and figures ignored by someone who has no idea what it takes to secure an enterprise network, the problem isn't that they are ignoring the risks. They are simply using a different metric for security.
Looking at the other side
Being a vendor in the security space is actually very interesting. I get to see the technology develop and change, and I get to see the dynamics of the corporate security program from a third part point of view. The most divergent perspectives I have seen are those between the security practitioner and the financial manager of the security group.
Both the security professional and your financial manager use a meter to determine when the enterprise is 'secure enough.' The problem is simply that the meters are different.
What I have seen is that the security practitioner views progress toward being secure as a progression of security tool implementations. In general, the security practitioner's security meter starts with firewalls, anti-virus, virtual private networks, content filtering, IDS, etc. The security professional has an approved security policy that implies a particular technology set and the enterprise is secure when those technologies have been implemented.
The financial manager has a very similar looking meter, but the metrics are different. According to industry analysts, enterprises spend between three to 10 percent of revenues on technology, and one to three percent of technology expenditures go toward security. The results are that the average security budget will be between 0.03 and 0.3 percent of corporate revenues. As annoying as it sounds, your financial manager thinks you're secure when you have spent 100 percent of your security budget for the current year!
Now, before the veins in your head explode at the seeming irrelevance of this statement, let's put this into context.
Business managers are constantly juggling the priorities of the business and the available funding. No matter which department or project you're talking about, no department gets everything they want, or need. As a rule, the enterprise will fund departments or projects to the point that is commercially acceptable. In other words, bring the enterprise up to the spending level of companies of like size and disposition. And, security is no different.
Though the security sensitivity of the executives will dictate if the security budget is at the top or bottom of the range, there is a point when the enterprise can show that they have, by industry standards, spent enough money to protect the company's information assets. When you have reached that mark, spent that much money on security stuff (regardless of where you are according to the security policy), the enterprise has done enough to show due diligence - they are 'secure.'
Getting involved in metrics
So, where does that leave the security professional? The biggest mistake I have seen enterprise security professionals make is ignoring the issues facing their financial managers. To be successful, the security professional needs to get involved in the metrics that will make the financial manager successful. You need to understand the budget; if there are benefits to under-spending or for spending within certain timeframes. Once you have a handle on the challenges your financial manager is facing, you will have a much easier time meshing your security meter to your financial manager's security meter.
And, the added understanding will make you more valuable in the decision-making process. So, as time goes on you will become more involved in the process, instead of becoming more annoyed with your boss' lack of understanding. In the end, by dealing with and supporting the financial issues of the enterprise you end up being able to reach an overall higher level of security for the enterprise. Help your financial manager win, and you win.
Ryon Packer is vice president of marketing and business development for Intrusion Inc (www.intrusion.com).