Making a case to the board

• Article 14 of 33
• SC Magazine, January 2009
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

While it can be done – and Davis has developed a methodology and tools for Information Security Forum members to use – a potentially more applicable approach is risk to the business.

“Defining risks up-front and working risk-based is the best approach to please everyone – or at least most of them,” argues Martin Kuppinger, founder of analyst company Kuppinger Cole. By defining risks to the business and the potential problems they can cause if not protected against, the CSO will find it far easier to speak in terms the board can understand and to get its backing.

The risk profile will vary from organisation to organisation and industry to industry, according to Floris van den Dool, head of security for EMEA at Accenture. Some risks can be relatively easy to determine, provided the organisation has been monitoring and recording metrics for things like attempted attacks. Picking the right metric can be vital. For example, it is as important to measure outputs as it is inputs, with changes in user behaviour or levels of awareness telling more than the number of hours of training delivered or number of communications.

The move away from best-of-breed security appliances has helped with this, since most integrated solutions provide suites of reporting tools that can provide a more integrated look at security risks than simple log tools. The increasing emphasis on compliance, now lumped together with other legal requirements as ‘IT GRC' (information technology – governance, risk and compliance), means that there are software suites designed to monitor the enterprise's performance in these areas as well, that can also give a higher-level overview of risks.

Once you have worked out the risks, working out the best way to mitigate those risks in a way that is compatible with the business's processes is the next step. Not only does that ensure easier adoption and greater co-operation from the rest of the business during implementation, it gives the security function greater visibility within the business, meaning security is less likely to be seen as a ‘black box' or a burden. By taking this overall view of risk, security projects are also far more likely to succeed, Kuppinger argues. “From our experience, most money is wasted because the scope of the investment is too limited – people just address a small problem without a holistic view.”

Having determined what projects are needed, ISF's Davis says that the next step is to approach the CFO. “If the CFO approves, you're winning half the battle of getting the business on board.” To do that, Davis suggests going to the CFO with the information necessary and asking him or her the best way to present it. “Don't go in with an information security initiative,” he warns. Instead, discussions of risk are the best way forward. With most of the business focused on reducing both costs and problems to close to zero, Davis says that talking of a non-incident rate growing to 95 per cent is less helpful than discussion of getting the incident rate down to five per cent – something particularly important when there are no ROI figures.

Seaver warns of focusing too much on those zeros, however. “If you're measuring cost per security training hours delivered, people may try to reduce the ‘cost per hour' – but this is probably not what you're trying to achieve.”

Again, avoiding technical phrasing is key. Often, pointing simply to loss of reputation is as effective as numbers, and the MoD and other branches of government, as well as many major companies, are often extremely helpful in providing headlines about data losses that help to focus boards' minds on potential results of under-investment in security. If talking in business terms to the rest of the business is problematic for a CSO, training is available. Indeed, CSOs who go on MBA courses to learn to ‘talk business' often find that not only can that mean they do their own job better, they often end up doing the job of someone else higher in the company later on in their career.

It is then up to the board to decide where to invest. But if it has had a clear profile of the risks and decided which risks it is willing to tolerate, the buck no longer stops with security if there's a breach in an area where the board was unwilling to invest. If the demands from security are purely in terms of technology, the waters are muddier.

And if the board doesn't give quite enough to make the approved projects realisable, making the money that is available spread even further is also an art and can involve some lateral thinking. Davis suggests teaming with other departments to get certain projects onto their books if necessary – if the CSO can demonstrate that a project is necessary to ensuring their projects are successful. This will also make the chances of the project succeeding even greater. Almost every CSO would like to have enough staff and budget to run every aspect of security in-house. However, few have that luxury and Accenture's van den Dool says that outsourcing parts of security that cannot be handled in-house is a proven way of saving money.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages