It is one thing to present a comprehensive data security plan after a breach is identified and the barbarians are at the gates calling for the neck of the chief information officer (CIO). It is quite another to build in data security before the worst scenario occurs.
The pressing challenge for today's IT and information professional is to prepare a proposal for senior management and the board of directors that garners their approval and funding before the Securities and Exchange Commission, Department of Justice or regulators are pounding on the door.
For the CIO, simply telling the board that cyber threats are growing and potential lawsuits could be oppresive is far from a compelling argument, says Richard Bejtlich, chief security officer at Mandiant, an Alexandria, Va.-based threat detection and response company. Instead, he says, it is necessary for funding requests to be put in business terms that address corporate risk, compliance and similar operational fundamentals.
Companies today face a conflict of confidence if they publicly acknowledge a data breach, yet virtually every one has had some level of compromise to their network, whether they know it or not, says Bejtlich, who runs Tao Security, a data security consultancy. Noting that even organizations that are seemingly savvy about protecting data have been breached, including federal agencies and companies in the security industry, he says such compromises are still considered to be a “negative event” in the eyes of corporate executives. “It's still ‘blame the victim,'” Bejtlich says.
There are two occasions that will generate a request for data security funding from the chief executive officer or board, he says. A breach certainly will generate an investigation into security practices and, perhaps, a request for greater budget. But, a pre-breach analysis of the existing risk profile and potential vulnerabilities, could generate a successful request for further funding.
Reaching the board
The success or failure of such a pitch depends greatly on the upfront work done by the security and IT teams, Bejtlich says. Management will want to know not only how the proposed initiatives would affect data security, but also how they impact all corporate operations, including HR, audit, legal and compliance. The board also will seek to learn if the proposals are based on established technologies with proven track records of an organization.
Bradley Schaufenbuel understands these needs from both the technical perspective and the business side. He is director of information security at Midland States Bank, based in Effingham, Ill., and sits on the boards of several companies. As such, he not only is responsible for proposing information-security strategies for the midsize Midwestern bank, but also is on the receiving end through his board commitments.
Schaufenbuel recommends four strategies for soliciting funding. The first is to position the proposal as a business enabler. “Focus your message on what investments in security enable your business to do that it would not otherwise be able to do safely,” he says. “For example, an investment in the execution of a mobile security strategy, such as device management, enables a bank to mobilize its workforce into the field to take applications to customer sites, rather than forcing them to visit a branch. This tactic provides a competitive advantage over other financial institutions, Schaufenbuel says.
He also recommends that the IT team align security investments with the company's strategic objectives. Most companies have set goals that serve to guide everything from the top down, he says. The proposal, however, should point out how investments in improved data security align with and support those goals.
To further help make the case, Schaufenbuel suggests the pitch leverage the organization's enterprise risk management program. Most boards now have a risk or audit subcommittee, he says. “Leverage the focus on enterprise risk management to your advantage,” he says. “Work closely with your organization's chief risk officer to explain to the board that IT risk management is simply a subset of enterprise risk management.”
Finally, Schaufenbuel says the plan should focus on how security improves shareholder value. “One approach is to demonstrate that an investment in better security will enable additional business, which will increase future revenues and thus boost future profitability,” he says. “Or, you can demonstrate that an investment in better security will reduce future losses or improve employee productivity, which also increases future profitability.”
This final suggestion is not universally held, however. Mandiant's Bejtlich, for one, says, “You can't increase shareholder value with security.” His reasoning is that while security can provide a competitive advantage, investors, as well as customers, expect a business partner to safeguard its data.
Dos and donts
Just as there are winning proposals, Schaufenbuel cautions that there are also approaches that can prove to be losing strategies when trying to gain security funding from the board.
“Don't focus on technology to the exclusion of other methods of managing risk,” he says. “Many IT and security executives started out in technical roles and, therefore, see technology investments as the primary method of mitigating risk. However, there are usually multiple ways to mitigate unacceptably high risks – some involving the implementation of new technology and many that do not.”
He also warns against trying to convince the board using fear, uncertainty and doubt (FUD) tactics. “The days of scaring the leadership of your organization silly so that they feel compelled to throw money your way are long gone.” Today, Schaufenbuel says, directors are more interested in making sure their investments in security are being used efficiently to manage risks than they are in hearing about advanced persistent threats, followed by a demand for money.
Finally, he says, don't use “geek speak.” Technical language quickly can confuse a non-tech-savvy audience, and board members could feel the pitch is designed to talk past them rather than addressing a business need.
Dave Berkus, chairman emeritus of the venture capital firm Tech Coast Angels and current chairman of several additional firms, as well as a current or former board member of more than 40 companies, agrees that senior management generally takes well-supported security recommendations more seriously than in the past.
Historically, if a board chose not to follow through on a recommendation that a security vulnerability could have a serious impact on the company, it was easier to ignore the warnings without fear of a backlash from technologically sophisticated shareholders. Today, he says, board members are more aware of their personal responsibility for the care of corporate assets, so concerns voiced by management about IT weaknesses get closer scrutiny and consideration.
According to the business judgment rule, which is codified in U.S. case law, if a board is advised of a potential problem and does what it can to prevent a loss, it is absolved of any wrongdoing should the worst-case loss scenario occur, Berkus says.
And, with the increase in sophistication of directors and a greater knowledge of cyber security, Berkus says, IT departments can expect that boards will be more responsive to a well-thought-out data security proposal today than perhaps they were in the past.