IT managers should focus on issues such as business risk, customer impact, regulatory requirements and due diligence when demonstrating the value of IT security investments to senior executives. That’s the view of several IT managers at the recent Security Standard conference in Boston.
“What we need from a CSO (chief security officer) are facts, objectivity and some really clear recommendations” to demonstrate achievable returns on security investments, says Lawrence Kinsella, chief financial officer at BT Global Financial Services in New York.
“What we are not looking for is ‘the sky-is-falling’ FUD.”
Kinsella, who took part in a panel discussion at the conference, says security managers sometimes have little reliable data available to show that the investments they are making will truly mitigate against future risks. And while it is not always necessary to deliver traditional ROI estimates, a security manager should clearly articulate business and customer risks, Kinsella says.
The issue is important because companies are increasingly moving away from reactionary security models to more preemptive ones, says Scott Blake, chief information security officer at Liberty Mutual Insurance Group. As a result, there is a greater need for security managers to understand and clearly articulate the value of security investments in a way executives can understand, he says.
“[The key is to] keep it real and get something that resonates with the executive body,” says John Schramm, senior vice president of enterprise information security at Fidelity Investments.
Using an event such as a data breach or a broad trend to bolster a security pitch can be effective in getting the attention of those holding the corporate purse strings, he says. “Use examples, use events in the media, pick the top [security] issue in the paper,” he advises.
One of the limitations of such a tack is that using external events, while powerful, can be anecdotal, Libert Mutual’s Blake says. “Going to the board and CEO and saying that we are spending x percent but we should spend y percent is very challenging [if the discussion is based purely on what others are doing],” he says.
Showing business executives how a security investment can allow a company to demonstrate due diligence is important, too, says Tom Bowers, manager of information security operations at a Fortune 100 drug company.
Bowers’ company outsources a large portion of its IT operations to outside service providers. Its ability to seek legal protection under intellectual property laws would be considerably weakened if it didn’t implement what are seen as reasonable controls, such as encryption, content monitoring and digital rights management, he says. Highlighting such issues can help reinforce the business value of security investments, he says.