Selling Security to the CFO

Doug Lewis   Today’s Top Stories   or  Other ROI Stories  

SAS Dream Team Video: Strategies for getting senior executives to agree Get a Grip on Storage Growth and Reduce Costs What's Next? Real Answers for Tough Times Wireless LAN Virtualization: Twice the Network at Half the Cost Best Practices for Delivering Virtual Classroom Training Record Capacity for Microsoft® Exchange 2007 With VMware and IBM System x3850 M2 Computerworld Report- Large Enterprises Pay More for IPAM An Apple for Your Enterprise? Six Questions To Ask About Information And Competition Sign up to receive ROI Resource Alerts

October 13, 2003 (Computerworld) -- "Shut it down, now!" The guy issuing this command was my chief information security officer (CISO). The "it" he ordered shut down was our entire Internet infrastructure. That infrastructure was generating more than $2 million of high-profit revenue every day. After a sleepless night he had finally figured out why we were suffering a prolonged denial-of-service attack. Our firewalls should have been flawlessly deflecting this attack, but they weren't. The "bad guys" were on us like flies on a dead dog.

His sudden realization was that the firewalls had been reloaded without any of the most critical defensive rules.

The cause of this attack turned out to be human error, but the event triggered a complete review of our Internet security, followed by a decision to beef up our defenses and outsource much of our security administration and monitoring.

Back in the good old days, security consisted of a few firewalls and some virus protection. The threats have outgrown those simple defenses, and the cost has outgrown the approval level of the CISO and, sometimes, that of the CIO. Fortune 500 companies are finding themselves with security expenditures that require CEO and even board-level approvals. Each one of these companies comes with a beady-eyed chief financial officer demanding a rock-solid business case with a credible return on investment.

So you've got three problems. You've got to determine the appropriate level of security for your company. You've got to build a business case that nontechnical senior executives will understand and support. You've got to show that there's a financial return coming out of the investment. And all this is for a system where, if it's performing perfectly, nothing happens, right?

Take a deep breath. It can be done, and with credibility that even the toughest CFO will buy into.

Step 1: Determine the current and appropriate levels of security. Get a security assessment done by a company with a solid reputation. Be sure to include vulnerability assessments and penetration tests against your key systems. (Key systems are those that move money, customer data, employee data or products.) Don't do this yourself. You probably don't have the expertise, but even if you did, you wouldn't have the credibility you need to sell the business case.

Done right, you'll emerge from the assessment with a very good idea of the state of your IT security vs. where you should be and what you'll need to do to get there. Don't be defensive. Share the results with your CEO and business-unit chiefs. They'll become your allies in the fight to get the business case approved. Make it easy for them to understand the problem and the cure.

Continued...
1 | 2 | 3 | 4 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Selling Security to the CFO

Sidebar: Opportunities for Security ROI

"This start-up company is going through the ISO 9000 certification process, and as this pilot fish leafs through a three-inch..." Read more... "This pilot fish works at a telco that provides DSL hardware access to ISPs. Total number of users: in the..." Read more... Read more Management posts or See all Blogs

Microsoft dissed Intel's 915 chipset before making 'Vista Capable' changes Microsoft dumps OneCare, slates free security software for '09 Ballmer: Yahoo acquisition won't happen, despite Yang's departure More top stories...

Obama administration to inherit tough cybersecurity challenges BlackBerry Storm sales should be strong, Verizon says Google deal produces 91% of Mozilla's revenue

2008 Salary Survey: IT pay takes tiny leaps If you're like our 7,000 survey respondents, your paycheck this year has been flattened and your bonus obliterated. We offer 12 ways to plump up your paycheck. Windows 7 in-depth review and video: This time Microsoft gets it right Microsoft's next OS might more accurately be called Windows 6.5: It's essentially a better version of Vista. Twitter for business: 5 ways to tap the power of the tweet Twitter can be a valuable business tool -- if you know what you're doing. Here's how to juice it for all it's worth. Microsoft's 'Vista Capable' changes outraged HP, insider e-mails show By helping Intel with loosened 'Vista Capable' requirements, Microsoft 'severely damaged' its credibility, said an HP exec in a newly unsealed Feb. 2006 e-mail. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

Deploying Windows Vista to the Desktop: Get It Right with Dell Get this paper now! (Source: Dell) Dell has improved PC deployment activities through patent-pending automation technology and offers an array of services from planning a Windows Vista migration to post-deployment management. Download this white paper  Google's Universal Search for Business Google's Universal Search for Business View this exclusive webcast, free, compliments of Google! Go to the webcast  Managing For Agility Get the full Computerworld report for a limited time, compliments of Computerworld and IBM. Today's corporations need to bend without breaking. Agile IT operations can deliver products and services promptly, and then they can update and improve and reconfigure those resources as need be. But only good management practices will keep it all working together. In this Executive Briefing, we'll look at best practices for providing and managing IT in an on-demand world. Download this executive briefing  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Collaboration Tools and Organizational Success Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Selling Security to the CFO
• Sidebar: Opportunities for Security ROI

• Microsoft dissed Intel's 915 chipset before making 'Vista Capable' changes
• Obama administration to inherit tough cybersecurity challenges
• Microsoft dumps OneCare, slates free security software for '09
• More top stories 

The Enterprise Search Zone With an estimated 40% of the world's information now residing behind a firewall, employee productivity is driven by the ability to quickly find key information no matter where it's stored across your organization. At Google, we believe in a simple premise: all of the information you need to be productive at work should be available through one search box, giving users real-time access to content across the enterprise and delivering a single, integrated, secure set of search results. Learn more in The Enterprise Search Zone See All Zones