Selling Security to the CFO

Computerworld - "Shut it down, now!" The guy issuing this command was my chief information security officer (CISO). The "it" he ordered shut down was our entire Internet infrastructure. That infrastructure was generating more than $2 million of high-profit revenue every day. After a sleepless night he had finally figured out why we were suffering a prolonged denial-of-service attack. Our firewalls should have been flawlessly deflecting this attack, but they weren't. The "bad guys" were on us like flies on a dead dog.

His sudden realization was that the firewalls had been reloaded without any of the most critical defensive rules.

The cause of this attack turned out to be human error, but the event triggered a complete review of our Internet security, followed by a decision to beef up our defenses and outsource much of our security administration and monitoring.

Back in the good old days, security consisted of a few firewalls and some virus protection. The threats have outgrown those simple defenses, and the cost has outgrown the approval level of the CISO and, sometimes, that of the CIO. Fortune 500 companies are finding themselves with security expenditures that require CEO and even board-level approvals. Each one of these companies comes with a beady-eyed chief financial officer demanding a rock-solid business case with a credible return on investment.

So you've got three problems. You've got to determine the appropriate level of security for your company. You've got to build a business case that nontechnical senior executives will understand and support. You've got to show that there's a financial return coming out of the investment. And all this is for a system where, if it's performing perfectly, nothing happens, right?

Take a deep breath. It can be done, and with credibility that even the toughest CFO will buy into.

Step 1: Determine the current and appropriate levels of security. Get a security assessment done by a company with a solid reputation. Be sure to include vulnerability assessments and penetration tests against your key systems. (Key systems are those that move money, customer data, employee data or products.) Don't do this yourself. You probably don't have the expertise, but even if you did, you wouldn't have the credibility you need to sell the business case.

Done right, you'll emerge from the assessment with a very good idea of the state of your IT security vs. where you should be and what you'll need to do to get there. Don't be defensive. Share the results with your CEO and business-unit chiefs. They'll become your allies in the fight to get the business case approved. Make it easy for them to understand the problem and the cure.