Avoid Security Spending Fatigue

Mary Brandel   Today’s Top Stories    or  Other Security Stories  

Zero Data Loss- Disaster Recovery Live Webinar Computerworld presents a 100% free and online security event today! Why SaaS is Vital to Email and Web Security Securing your Online Data Transfer with SSL Intercept Spam & Viruses With MessageLabs Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper Fixing Security Blind Spots Sign up to receive Security Resource Alerts

April 17, 2006 (Computerworld) -- Xerox Corp. takes information security pretty seriously. It regularly conducts network vulnerability scans, as well as corporate audits of its risk mitigation efforts. A compliance program buoys employee awareness of its security processes -- as well as its disaster recovery, information privacy and Sarbanes-Oxley Act policies -- and an executive board champions adherence to them all. Meanwhile, the security budget at the Stamford, Conn.-based company is holding steady compared with last year, even as its other IT spending is down.

And yet, as Xerox Chief Security Officer Audrey Pantas says, "you never get as much you'd like -- you could always do more." And that sums up the mind-set surrounding IT security at corporations today: No matter how much money you pour into it, you'll always need to go back to the well.

With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as CXOs increasingly look for the business value earned on the security dollars spent.

"Senior management knows there's a problem, but it seems that every day the problem gets worse, and it's like there's no end in sight," says Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium, an IT consultancy in Arlington, Mass. "There's the feeling that they could give security every single penny and it still wouldn't be enough."

To keep the security budget from looking like a black hole, you need to articulate the value of the money being spent. Here are some do's and don'ts for doing just that.

Don't Use Scare Tactics

Every day, it seems, a story emerges about a backup-tape theft or compromised customer data. But don't overuse these incidents when seeking to justify your funding requests. "CXOs can become desensitized or jaded if they hear too much about reports that they don't think affect them," says Christopher Bomar, founder of Boomarang LLC, an online data-backup service firm in Cincinnati.

"FUD has been used up," agrees Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference (McGraw-Hill Osborne Media, 2003). "So many people have cried wolf that executives are inured to scary stories."

You might, however, consider using recent security incidents to shed light on your company's needs. For instance, you can send out regular e-mails that put news stories into perspective and show how they apply -- or don't -- to your business, says Bob Dehnhardt, network and information security manager at TriNet, a human resources services firm in San Leandro, Calif. "You can use these incidents as an opening, but back them up with a strong business case," he says.

For instance, when a report comes out about backup tapes being stolen, point out what happened to the company's stock price on the day the story broke, says Gary McGraw, chief technology officer at security consultancy Cigital Inc. and author of Software Security: Building Security In (Addison-Wesley Professional, 2006) .

Source: Exclusive Computerworld survey, March 2006

Do Use Horizon Planning

Instead of asking for funding several times a year, project the security costs that need to be incurred over a 12-to-24-month time horizon, Rhodes-Ousley says. "CXOs can swallow that more easily," he says. "If you say you need certain things next year, you can get funding more easily than saying you need something now."

At Xerox, Pantas develops a three-to-four-year strategic plan for the company's security efforts and then prioritizes which of those projects to pursue in the ensuing year. "I do work off an overall strategic plan on where we want to take security," she says.

Do Let the CXO Define Acceptable Risk

Business executives deal with risk all the time, so before forking over money for protecting corporate systems and data, they first want to know the degree of legal, financial, operational and strategic risk they're facing. Only then can they decide how much they need to mitigate their exposure and, thus, how much they want to spend.

"If the CIO is bringing concrete evidence of exposure, liability and even an actual incident, the discussion changes from 'Should we do this?' to 'How much would it cost to make this go away?'" Bomar says.

When you present this information, give the executives an array of choices with different levels of protection -- like they'd get when choosing an insurance plan, Charette says. "Let them understand what's at risk and then let them choose how much they want to cover themselves," he says.

Doug Lewis, a former CIO and a senior partner at The Edge Consulting Group LLC in Atlanta, calls this "finding the prudent zone." He recommends adding up how much it would cost to improve security and then plotting the range of spending options on a chart. On one side of the chart is the "danger zone," where security is insufficient, and on the other is the "ridiculous zone," where the company is overspending. Somewhere in the middle, he says, is the prudent zone, which will vary depending on your industry and security risks.

"You have to explain that if you're manufacturing talcum powder, you're probably not a big target for intellectual property theft, compared to a health care firm or a bank," Lewis says. "You have to take a balanced, prudent view and not overbill the case."

Do Use Business Language

When you live and breathe security, it's easy to be passionate about things like the difference between intrusion protection and intrusion detection. But don't bring that talk into a board meeting. "You have to explain yourself in human-readable terms," Lewis says. "What the CEO wants to know is, 'Am I being protected at a prudent level, and if not, what do I need to do to get there?'"

When Pantas discusses the importance of avoiding vulnerability in software code, for instance, she doesn't go off on a tangent about not doing cross-site scripting, she says.

So instead of saying things like "threat detection," "encryption" and "data protection," use terms like, "exposure," "indemnity," "protecting the brand" and "effect on market cap," says Tom Scholtz, an analyst at Gartner Inc.

For instance, if your company just launched a branding campaign for its product or service, brand protection is a relevant justification for security spending. "You say, 'You guys spent $200 million last year on branding your credit card as the cool card to carry around, and one story in The Wall Street Journal can bring that all tumbling down,' " McGraw says. "Then, if someone says, 'Why did we install that expensive apparatus?' you can say, 'Because we're protecting the brand.'"

And you had better be able to state your case in an "elevator speech" -- a concise, compelling argument that can be made in less than a minute. "What's that one message?" Charette says. "They don't care about the different levels of encryption -- they care about the harm it will keep the company from suffering and how much it's exposed in the different scenarios."

Don't Use ROI Arguments

Investing in security rarely yields a return on investment, so promising an ROI will sound ill-informed to a senior executive. "You really have to talk about it from an insurance perspective," Pantas says. "It's more about cost avoidance or cost of compliance; there's very little in what we do that's relative to gaining ROI."

It's possible to discuss other benefits of security spending, such as protecting the company's ability to generate revenue, keep market share or retain its reputation. But ROI relates to expanding revenue and profits, "and security isn't about that," Charette says. "Trying to sell it as if it's a revenue generator is a good way to have the board say, 'Are you nuts?'"

Do Report on Benefits From Past Spending

Before asking for more security funding, make sure you close the loop on your previous spending by regularly updating executives on the results of those efforts. This means regularly measuring things like how many malicious attempts were stopped at the firewall or how quickly incidents were resolved and summarizing this data in a meaningful way.

Pantas has her team conduct regular audits on network attacks, providing her not only with an idea of where vulnerabilities continue to exist but also with a record of improvement over time.

"After you've invested in new security technology, you need to come back six months later and show what you've achieved and how it squares up with what you intended to achieve," Scholtz says.

You also need metrics to show that it's good when nothing happens, McGraw says. For instance, following a worm outbreak, use network-activity reporting to show that you had the proper protective measures in place. Otherwise, you can fall into the chicken-and-egg trap, where people begin wondering why you have to keep investing in security when nothing bad ever happens.

McGraw also cautions against getting too granular in your reporting efforts. "They don't want to see your firewall logs or the number of virus scans or something geeky that you have to explain in three paragraphs," he says. "What they want to know is they invested $10 million in this product line and it's not going to be hacked on the first day."

Unfortunately, the most reliable way to ensure security funding is through regulation, "and that's a shame," Rhodes-Ousley laments. "Businesses simply won't do the right thing, such as protecting customer identities and private information, if they're not required to." The best thing to do in those instances, Scholtz says, is to partner with the internal compliance organization. "Complying with regulations has very direct consequences for information security and IT," he says. "But it's really the business that needs to make the risk-based decision on what they're going to do."

Brandel is a Computerworld contributing writer. Contact her at marybrandel@verizon.net.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Avoid Security Spending Fatigue Regulatory Driver

"So are getting excited about a nice, long weekend for Memorial Day? Well, before you start cooking hot dogs and..." Read more... "Debian, the popular Linux distribution has just been shown to have made an all-time stupid security goof-up. They managed to..." Read more... Read more Security posts or See all Blogs

HP confirms XP SP3 endless reboot snafu, promises patch Microsoft pulls Windows Home Server backup feature Yahoo tells Icahn that its own board knows best More top stories...

Tools circulate that crack Debian, Ubuntu keys Elgan: Hyperconnectivity: Friend or foe? Former Microsoft manager offers free fix for XP SP3 'endless reboot'

Shuttle Columbia's hard drive data recovered from crash site Specialists have retrieved about 99% of the data on a disk drive on board the crashed space shuttle Columbia. Don't miss the photographs of the recovered drive. The top 15 vaporware products of all time These big ideas were supposed to revolutionize technology, but they never actually appeared. In a few cases, you'll be glad they didn't. Opinion: Malware vs. anti-malware, 20 years into the fray Nearly 20 years after the first Internet worm, Steven J. Vaughan-Nichols takes stock of the malware/anti-malware landscape and spotlights how the two sides are approaching the battle. Leopard at six months: Does it live up to the early hype? Though some thought it was released too soon, Mac OS X 10.5 has matured into a solid operating system, says reviewer Michael DeAgonia. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Securing your Online Data Transfer with SSL Discover the Secret to Secure Remote Access: GoToMyPC Corporate Security White Paper Six Support Issues That Keep Execs Awake at Night View more whitepapers

• Avoid Security Spending Fatigue
• Regulatory Driver

• HP confirms XP SP3 endless reboot snafu, promises patch
• Microsoft pulls Windows Home Server backup feature
• Yahoo tells Icahn that its own board knows best
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits



"Security Directions" virtual trade show 2008's Code-Red Security Issues for Protecting the Enterprise Webcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter



In Security There's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied