Logo Rob Buckley – Freelance Journalist and Editor

Making a case to the board

Making a case to the board

Justifying security spend in tough times is a hard sell. So, avoid complex ROI arguments, focus on risk and steer clear of jargon. By Rob Buckley.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Proving security's worth is not always the easiest job. Once you've invested in systems, trained staff, secured the perimeter, secured the interior, put in monitoring and maintenance programmes, chosen what, if anything, to outsource, run penetration tests and more, what's the result? No-one gives out their password on the phone, catches a virus on their PC, leaves unencrypted data on the train or suffers any kind of a security breach. If all goes right, nothing happens.

Come the next budget round, though, the idea of giving money to a function that doesn't seem to produce any visible results may seem less palatable to the board than giving money to the sales department – particularly as the credit crunch makes cutbacks inevitable. So how should the information security head go about making the case for investing in security? And as those cutbacks start to bite, how can he or she make the money that is available go further?

As many CSOs have discovered, rather than talking ‘techie', using the same language as the rest of the business pays dividends. That might mean discussing return on investment (ROI) – or even ‘return on security investment' (ROSI) – but that approach has pitfalls.

“Use the right language,” says Nick Seaver, a director in Deloitte's security practice. “I do see ROSI used in place of ROI, but the reaction from FDs and CEOs is often bewilderment that it's not just called ROI. Marketing and production call it ROI, not ROMI or ROPI. Using ROSI outside the security community risks losing credibility.

“ROI is notoriously difficult to use accurately in risk-reduction efforts and serves to undermine your case.”

Seaver points to risk management and marketing functions in organisations, both of which have the same challenges in justifying investment but which don't tend to use ROI to do so.

Although the temptation to attempt to produce ROI figures can be great, finding the data to create them can be hard, as can finding a useful methodology. Adrian Davis, senior research consultant for the Information Security Forum, has been working on approaches more applicable to the security industry than standard ROI. “Applying ROSI in an organisation is difficult,” he says. “Without clear guidance from published sources, security professionals may struggle in understanding when and where to use ROSI. Should ROSI be used for demonstrating the benefits of security in an organisation, or just the benefits of installing an integrated security gateway? Calculating ROSI is problematic.

“The various calculation methods are complex and inconsistent, meaning that it is difficult to compare the results from two different calculations. Many ROSI approaches are data-driven, but much of this data is often lacking in both the public domain and within organisations. The data that is publicly available is often regarded as unreliable and lacking insight and it is often collected with little rigour or consistency,” he says.

Seaver says he has even seen some CSOs attempt to use Monte Carlo simulations (algorithms that rely on repeated random sampling) to compute their results to calculate ROI. “Unless you know how to use these tools and are sure your assumptions and data will stand up to challenge, the more complex the tools you use, the more your assumptions and data will be challenged. ‘Viruses or spam stopped' might be statistically robust, but ‘total cost of security incidents in the UK economy' isn't.”

Concentrating on ROI and hard figures can even skew investment away from needed projects to ones more quantifiable but less necessary.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

Interested in commissioning a similar article? Please contact me to discuss details. Alternatively, return to the main gallery or search for another article: