To hear some IT security managers tell it, getting money to support security programs is always tough. And in ugly economic times such as these, it is doubly difficult, as painful an endeavor as holding up the earth was for the mythical god Atlas.
Some infosec professionals, on the other hand, take a more pragmatic line. They contend that if you can show real business benefits from security programs, then you are far more likely to get the money to fund them.
While the viewpoint to tie security projects with company objectives makes a great deal of sense in a world where more business is done via the internet and loads of information is stored on networks, the process of revealing security benefits to C-level executives takes much planning and finesse. Throwing arbitrary statistics about the occurrence of virus attacks or breaches at CEOs or CFOs, without showing how these might affect the business directly, is simply an ineffective way to gain money for various and sundry security projects, say experts. The 'fear, uncertainty and doubt' tactic, better known as the FUD argument, just will not fly in today's financially constrained organizations.
"A CEO's focus is not security, it is ensuring that they get the best for their stakeholders, and often that comes down to the bottom line," says Gary Clark, European head of sales and marketing for Rainbow Technologies. "This means that expensive deployments to ensure the security of the company could well be curtailed at the board/ CEO level, as they see the security measures that they [already] have in place as adequate."
The need to show clear results
If no damage has been done, new security deployments are simply viewed as overkill, he notes. Additionally, even if an organization may be experiencing security breaches, unless the effects of such attacks jolt the bottom line in shutting down the network for an extended time, for example, CEOs are not interested in spending on security, he says.
Such mindsets contribute to the continuation of ineffective security programs, according to recent findings from Forrester Research, Inc. Basically, more funds might be getting dedicated to security, but security incidents continue to increase both in number and severity. Companies, therefore, persist in maintaining defensive/reactive positions.
Additionally, security managers are failing to do a good job of showing how well their security controls are helping their organizations. For instance, in 2000, an average Global 3,500 firm spent 0.024 percent of revenue on security, but these companies' security managers were unable to say whether or not such an expenditure was too much or too little, according to Forrester's August 2002, IT Security's Awkward Adolescence report.
One respondent from a Global 3,500 company for another of Forrester's research reports (IT Security Fails - Now What? February 2002) said, "In fact, we don't even have a security line-item on our IT budget for next year because we can't show ROI yet."
As another put it: "We can't show any ROI for incident response, and people with MBAs don't like sinking money into a black hole. So, we don't have much budget for incident response."
Tactics for winning money
The success of any security program and related capital outlay to support it is contingent on advocacy from the top. To get this kind of guidance, says 4FrontSecurity's CSO Steve Crutchley, the onus falls to the IT/security manager to communicate infosec needs properly. "The CSO must be able to speak to the CEO in his or her terms, which means understanding the business process, the business objectives and how security can support that business process," he says.
Adam Hansen, a lead information security engineer with Sonnenschein, a law firm with offices across the United States, says his four-person group has had much success in deploying security controls throughout the organization. By enlisting (ISC)2's Common Body of Knowledge and its 10 domain areas, he has found it easier to convey security needs to end-users and managers.
Also, conducting risk assessments and using risk mitigation strategies to decrease the overall risk to the firm has helped in getting monies needed for miscellaneous deployments. By doing this and reporting back on metrics (such as how many viruses have been stopped or breaches have been blocked as a result of security controls) regularly, he says he is able to show C-level executives where the company is at and why they may need to consider spending additional funds on other security tools.
"People that are the stakeholders in the organization want to understand what we're doing and why, and by constantly [providing them with] the stats, information and business cases, they understand the holes we're trying to eliminate," he says.
Mick Ware, director of IT for United Heritage Insurance, says he is dealing with a couple of problems: tightening purse strings and misconceptions about security. "There are all kinds of competition for budget dollars and most managers of other departments see security as an impediment," he says.
To overcome these obstacles he not only gets support from the CEO, but involves other department managers in the development of security policy. Further, he recognizes that achieving security goals to benefit the organization as a whole is easier when he goes to the top from the start. In this way, the CEO and other top-level managers end up speaking for him about security mandates, which results in other departments paying attention and, more importantly, conforming to security requirements.
Really, says Sonnenschein's Hansen, development of an organization's security posture is conditional on showing the value of security implementations and policies to the overall business scheme. If you fail in this, security projects will have no longevity, much less get off the ground.
"If you don't communicate with your user base, you're not going to get traction," he explains. "And, eventually, you're going to lose the organization because you're ... a cost center."
Arguing for reduced risk
There are other ways IT security managers have obtained money for their projects. For instance, Adel Melek, national leader for Deloitte & Touche's Security Services Consulting practice in Canada and a member of the firm's global security services leadership group, says that some CIOs use large enterprise projects to get additional money directed toward supporting security initiatives. If this tactic fails, IT managers can try proving return on security investments, he adds.
Using the argument for deploying security to reduce risk, as Sonnenschein's Hansen has already shown, can be quite valuable. With this approach, it is all about packaging security "in terms of risk management, business opportunity, reduction of risk, bettering the business" and what it means to the organization's overall revenue stream, says David Laizerovich, president and CEO of Critical Watch.
To achieve this packaging, he says IT managers must first be able to view and understand the components comprising the entire network. After this, they can decide which of these components are more at risk than the others, prioritizing the parts of the network that need securing. From this point, the necessary tools to protect the various systems can be deployed and policies put in place. The acceptance by upper-level managers comes into play when IT executives can show the value of security deployments and how they enhance overall business initiatives.
Along with viewing security from a risk management perspective, companies can take the view that security is like insurance, says Jim Lester, vice president of marketing for WireX. Without it, a whole host of problems can arise. Anything from employee downtime to stakeholder lawsuits can result if an organization fails to address its vulnerabilities.
Dealing with the budget squeeze
The research group META contends that security is no longer an issue falling under the purview of technicians, yet it research shows that senior executives and IT/security managers still look at security policy compliance differently. As a result, security teams are sometimes faced with "fragmented budgets, years of under investment, and technology that is complex and expensive."
Consequently, tying security to a company's bottom line and its business initiatives is absolutely necessary, says 4FrontSecurity's Crutchley. The value of security is demonstrated by showing how the best practices, standards and regulations associated with security support the business.
"IT and infosecurity folks have long had a deficiency in terms of not understanding the strategic business direction and strategic business triggers," Deloitte & Touche's Melek notes. Therefore, to get the budget they require, it is much better to overcome this dearth by "linking or identifying reasons for beefing up security ... with the strategic objectives of the organization."
Unquestionably, while security was once viewed as an important component of doing business online, "it is now essential to an organization's survival," says Iain Franklin, European vice president at Entercept Security Technologies. The bottom line is that "security is part of the mix that stabilizes reputation, reduces financial risk exposure, and enables the CEO and board to concentrate on growing their business."
Illena Armstrong is U.S. and global features editor for SC Magazine.