Selling Security to the CFO
How to make a credible case for spending money on IT security.
Computerworld - "Shut it down, now!" The guy issuing this command was my chief information security officer (CISO). The "it" he ordered shut down was our entire Internet infrastructure. That infrastructure was generating more than $2 million of high-profit revenue every day. After a sleepless night he had finally figured out why we were suffering a prolonged denial-of-service attack. Our firewalls should have been flawlessly deflecting this attack, but they weren't. The "bad guys" were on us like flies on a dead dog.
His sudden realization was that the firewalls had been reloaded without any of the most critical defensive rules.
The cause of this attack turned out to be human error, but the event triggered a complete review of our Internet security, followed by a decision to beef up our defenses and outsource much of our security administration and monitoring.
Back in the good old days, security consisted of a few firewalls and some virus protection. The threats have outgrown those simple defenses, and the cost has outgrown the approval level of the CISO and, sometimes, that of the CIO. Fortune 500 companies are finding themselves with security expenditures that require CEO and even board-level approvals. Each one of these companies comes with a beady-eyed chief financial officer demanding a rock-solid business case with a credible return on investment.
So you've got three problems. You've got to determine the appropriate level of security for your company. You've got to build a business case that nontechnical senior executives will understand and support. You've got to show that there's a financial return coming out of the investment. And all this is for a system where, if it's performing perfectly, nothing happens, right?
Take a deep breath. It can be done, and with credibility that even the toughest CFO will buy into.
Step 1: Determine the current and appropriate levels of security. Get a security assessment done by a company with a solid reputation. Be sure to include vulnerability assessments and penetration tests against your key systems. (Key systems are those that move money, customer data, employee data or products.) Don't do this yourself. You probably don't have the expertise, but even if you did, you wouldn't have the credibility you need to sell the business case.
Done right, you'll emerge from the assessment with a very good idea of the state of your IT security vs. where you should be and what you'll need to do to get there. Don't be defensive. Share the results with your CEO and business-unit chiefs. They'll become your allies in the fight to get the business case approved. Make it easy for them to understand the problem and the cure.
- Aberdeen Group: Marketing Analytics for Manufacturing: Forging Customer Insights There are no recalls for poor marketing. Manufacturers need to get their customer intelligence and messaging right the first time. Learn how.
- The Brave New World of Customer-Centric Manufacturing The Unique Opportunity for Manufacturers to Better Understand their Consumers
- See the Possibilities Utilizing Data Visualization Do you simply want to collect data, or do you want to derive business insights from it? What if you could quickly and...
- Are You Prepared for a Software Audit? Just the word "audit" is enough to make anyone shiver, and when it comes to a software audit, the reaction is no different....
- Leveraging Flash Storage to Accelerate Oracle Real Application Clusters Join this webinar to understand the latest solid-state storage trends, the specific applications driving solid-state storage deployments and the benefits of deploying the...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to... All IT Industry White Papers | Webcasts