PALM DESERT, CALIFORNIA (03/09/2004) - How do you get C-level executives to boost the budget for IT security? The trick is using a simple, persuasive chart that shows how much security investment is required to put the company into the "Prudent Zone," said consultant and former CIO Doug Lewis at Computerworld's Premier 100 IT Leaders Conference in Palm Desert, California.
"Chief financial officers eat this stuff up," said Lewis, senior partner at The Edge Consulting Group LLC in Atlanta, and former CIO at the InterContinental Hotels Group PLC. His presentation, titled "Selling Security to Your Beady-Eyed, Bean-Counting CFO," was an expanded version of an article he wrote for Computerworld last October .
Lewis said that building a business case for security spending has four steps:
- Get a credible, outside security assessment of "where you are today ... and where you need to be."
- Build a security plan to plug the holes and get to the appropriate level of security for your business. Identify the total costs for this security plan.
- Build a business case that uses the same return-on-investment calculation that your CFO already uses.
- Repeat the process annually.
The key is to avoid technical jargon and make the case in "the language of the boardroom," Lewis said.
After the security assessment and a realistic tally of how much improved security will cost, you can plot the range of spending options on the curve of the Prudent Zone chart. On the left is the "danger zone" of insufficient security preparedness; on the right is the "ridiculous zone" of overspending. Somewhere in the middle -- depending on your industry and your security risks -- is the Prudent Zone.
You can tell your CFO that "we'll only spend to stay within the Prudent Zone and we'll throw out the option of spending outside the Prudent Zone," Lewis said. But many companies are playing catch-up and need to spend more just to get into the Prudent Zone, he said.
Five years ago, the terms ROI and security weren't even used in the same sentence. But now that the ferocity of cyberattacks has increased, the business consequences of those attacks have also increased, and the costs of defenses have risen, Lewis said.
The result: The cost of security is now so big that it's a boardroom issue, Lewis said. But security is competing with other business investments that will produce an ROI, hence the need to create a credible, ROI-based justification for security spending "that the CFO will buy into," he said.