Xerox takes information security seriously. It regularly conducts network vulnerability scans and does corporate audits of its risk mitigation efforts. A compliance programme buoys employee awareness of its security processes — as well as its disaster recovery, information privacy and Sarbanes-Oxley Act policies — and, an executive board champions adherence to them all. Meanwhile, the company’s security budget is holding steady compared with last year, even as other IT spending is down.
However, as Xerox chief security officer Audrey Pantas says, “You never get as much you’d like — you could always do more.”
With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as chief executives and chief financial officers increasingly look for signs that security dollars are being wisely spent.
“Senior management knows there’s a problem, but it seems that every day the problem gets worse, and it’s like there’s no end in sight,” says Robert Charette, director of the enterprise risk management and governance practice at the Cutter Consortium, an IT consultancy.
“There’s the feeling that they could give security every single penny and it still wouldn’t be enough,” he says.
To keep the security budget from looking like a black hole, it’s necessary to articulate the value of the money being spent. Here are some do’s and don’ts for doing that.
1. Don’t use scare tactics
Every day, it seems, a story emerges about a backup tape theft or compromised customer data. Don’t overuse these incidents when seeking to justify your funding requests. “Executives can become desensitised or jaded if they hear too much about reports that they don’t think affect them,” says Christopher Bomar, founder of Boomarang, an online data-backup service firm.
“FUD has been used up,” agrees Mark Rhodes-Ousley, an information security architect. “So many people have cried wolf that executives are inured to scary stories.”
However, using recent security incidents to shed light on your company’s needs can be effective, if it’s not overplayed. One idea is to send out regular emails that put news stories into perspective and show how they apply — or don’t — to your business, says Bob Dehnhardt, network and information security manager at TriNet, a human resources services firm. “You can use these incidents as an opening, but back them up with a strong business case,” he says.
2. Use horizon planning
Instead of asking for funding several times a year, forecast security costs over a 12-to-24-month time horizon, Rhodes-Ousley says. “Executives can swallow that more easily,” he says. “If you say you need certain things next year, you can get funding more easily than saying you need something now.”
At Xerox, Pantas develops a three-to-four-year strategic plan for the company’s security efforts and then prioritises which of those projects to pursue in the ensuing year. “I work off an overall strategic plan on where we want to take security,” she says.
3. Let senior executives define acceptable risk
Business executives deal with risk all the time, so before forking over money for protecting corporate systems and data, they first want to know the degree of legal, financial, operational and strategic risk they’re facing. Only then can they decide how much they need to mitigate against their exposure and, thus, how much they want to spend.
“If the CIO is bringing concrete evidence of exposure, liability, and even an actual incident, the discussion changes from ‘Should we do this?’ to ‘How much would it cost to make this go away?’” Bomar says.
When presenting this information, give executives an array of choices with different levels of protection — like they’d get when choosing an insurance plan, Charette says. “Let them understand what’s at risk and then let them choose how much they want to cover themselves,” he says.
Doug Lewis, a former CIO and a senior partner at The Edge Consulting Group, calls this “finding the prudent zone.” He recommends adding up how much it would cost to improve security and then plotting the range of spending options on a chart. On one side of the chart is the “danger zone”, where security is insufficient, and on the other is the “ridiculous zone”, where the company is overspending. Somewhere in the middle, he says, is the prudent zone, which will vary depending on your industry and security risks.
4. Use business language
When you live and breathe security, it’s easy to be passionate about things like the difference between intrusion protection and intrusion detection. But don’t talk in those terms at a board meeting. “You have to explain yourself in human-readable terms,” Lewis says. “What the CEO wants to know is, ‘Am I being protected at a prudent level and, if not, what do I need to do to get there?’”
When Pantas discusses the importance of avoiding vulnerability in software code, for instance, she doesn’t go off on a tangent about not doing cross-site scripting, she says.
It’s vital to be able to state your case in an “elevator speech” — a concise, compelling argument that can be made in less than a minute. “What’s that one message?” Charette says. “They don’t care about the different levels of encryption. They care about the harm it will keep the company from suffering and how much it’s exposed in the different scenarios.”
5. Don’t Use ROI arguments
Investing in security rarely yields a return on investment, so promising an ROI will sound ill-informed to a senior executive. “You really have to talk about it from an insurance perspective,” Pantas says. “It’s more about cost avoidance or cost of compliance. There’s very little in what we do that’s relative to gaining ROI.”
It’s possible to discuss other benefits of security spending, such as protecting the company’s ability to generate revenue, keep market share or retain its reputation. But ROI relates to expanding revenue and profits. “And security isn’t about that,” Charette says. “Trying to sell it as if it’s a revenue generator is a good way to have the board say, ‘Are you nuts?’”
6. Do report on benefits from past spending
Before asking for more security funding, it’s prudent to make sure you close the loop on your previous spending by regularly updating executives on the results of those efforts. This means regularly measuring things like how many malicious attempts were stopped at the firewall or how quickly incidents were resolved and summarising this data in a meaningful way.
For example, Pantas’ team conducts regular audits of network attacks, providing her not only with an idea of where vulnerabilities continue to exist but also with a record of improvement over time.
“After you’ve invested in new security technology, you need to come back six months later and show what you’ve achieved and how it squares up with what you intended to achieve,” Gartner analyst Tom Scholtz says.
You also need metrics to show that it’s good when nothing happens, McGraw says. For instance, following a worm outbreak, use network-activity reporting to show proper protective measures were in place. Otherwise, it’s possible to fall into the chicken-and-egg trap, where people begin wondering why you have to keep investing in security when nothing bad ever happens, he says.
He also cautions against getting too granular in reporting. “They don’t want to see your firewall logs or the number of virus scans or something geeky that you have to explain in three paragraphs,” he says. “What they want to know is they invested $10 million in this product line and it’s not going to be hacked on the first day.”