Selling Security to the CFO

How to make a credible case for spending money on IT security.

"Shut it down, now!" The guy issuing this command was my chief information security officer (CISO). The "it" he ordered shut down was our entire Internet infrastructure. That infrastructure was generating more than $2 million of high-profit revenue every day. After a sleepless night he had finally figured out why we were suffering a prolonged denial-of-service attack. Our firewalls should have been flawlessly deflecting this attack, but they weren't. The "bad guys" were on us like flies on a dead dog.

His sudden realization was that the firewalls had been reloaded without any of the most critical defensive rules.

The cause of this attack turned out to be human error, but the event triggered a complete review of our Internet security, followed by a decision to beef up our defenses and outsource much of our security administration and monitoring.

Back in the good old days, security consisted of a few firewalls and some virus protection. The threats have outgrown those simple defenses, and the cost has outgrown the approval level of the CISO and, sometimes, that of the CIO. Fortune 500 companies are finding themselves with security expenditures that require CEO and even board-level approvals. Each one of these companies comes with a beady-eyed chief financial officer demanding a rock-solid business case with a credible return on investment.

So you've got three problems. You've got to determine the appropriate level of security for your company. You've got to build a business case that nontechnical senior executives will understand and support. You've got to show that there's a financial return coming out of the investment. And all this is for a system where, if it's performing perfectly, nothing happens, right?

Take a deep breath. It can be done, and with credibility that even the toughest CFO will buy into.

Step 1: Determine the current and appropriate levels of security. Get a security assessment done by a company with a solid reputation. Be sure to include vulnerability assessments and penetration tests against your key systems. (Key systems are those that move money, customer data, employee data or products.) Don't do this yourself. You probably don't have the expertise, but even if you did, you wouldn't have the credibility you need to sell the business case.

Done right, you'll emerge from the assessment with a very good idea of the state of your IT security vs. where you should be and what you'll need to do to get there. Don't be defensive. Share the results with your CEO and business-unit chiefs. They'll become your allies in the fight to get the business case approved. Make it easy for them to understand the problem and the cure.

The assessment will tell you where your defenses are weak and drill deeply into each area of exposure. You should know for each application what the potential security breach would be, the total economic impact of such a breach and the likelihood of the breach happening. The best source for this type of data is the annual report jointly released by the Computer Security Institute and the FBI. It has credibility that your CFO will respect.

The last part of the assessment is to project your security costs over the next five years based on the use of your current technology and processes.

Step 2: Build a security plan to fix the holes identified by the assessment. Cover all the bases. Perimeter firewalls, virus protection, intrusion detection, internal network segmentation, applications, deployment, hiring, outsourcing, training, monitoring and operations all need to be included. Make it a five-year total cost of ownership (TCO) model. Whatever you do, don't underestimate the difficulty and cost of putting these pieces in place. There are countless stories of good people getting fired because they had intrusion-detection devices sitting in the warehouse six months after paying for them. They simply didn't have the staff to install the devices.

The TCO is going to be much bigger than you expect. Security is expensive. However, if you don't include all the elements and don't make the five-year TCO calculations, the CFO will just make you do it over, and you'll lose points. If you sneak a low-ball number through the approval process, you'd better start polishing your resume.

Step 3: Build an ROI-based business case for security investments. It can be done, and here's how: The secret is to explain to senior executives what you're trying to do in terms they can understand. They survive by making smart resource (money) allocation decisions. Give them an understandable set of facts, and they'll spit out the right answer.

Start at 50,000 feet. Mental pictures and diagrams work well with senior execs. I use a security S-curve diagram and a castle-and-moat analogy.

Explain that you're building a moat around a castle. Until you get the moat completely around the castle, you've spent a lot of money with no improvement in security. That analogy represents the far left side of the S-curve. Until you've established a minimum level of protection, you're spending a lot of money but are still totally vulnerable.

Once you've got the moat encircling the castle, you can decide how wide and how deep it needs to be. This is the middle of the diagram, which I call the Prudent Zone. It varies by vertical industry. Talcum powder manufacturers need less security than credit card processors. Building the moat a mile wide and only yards deep is a waste of good money. This represents the far right side of the S-curve. You're spending a lot of money and not significantly improving your security. CFOs fire CIOs who waste money these days; that looks really bad on the resume.

Next, drop down to 20,000 feet. Say what you want to do with the money and why. I use a risk/solution matrix. It takes data from the assessment and lists the risk areas, the economic impact of a security breach in each risk area, the likelihood of a breach happening and the resulting cost to the business of each breach. I match up the elements of my security plan against the risks and check every box where the plan addresses a risk.

I like to list all the actions required to complete the moat first. Then I list the actions that would bring the company to its Prudent Zone. Next, I list the things that would take the company a bit past the Prudent Zone—but not too far past.

Now that you've anchored each proposed action and its cost to a financial risk model, you need to tie an ROI to each action. You have four fundamental ROI opportunities for each action: reduce current costs, reduce future costs, reduce the financial risk to the business or increase revenue. CFOs get giddy over this stuff!

Investment in information security can provide an ROI by reducing your annual loss expectancy (ALE) from a security breach. ALE is a calculation of the actual cost of a security breach multiplied by the probability that such a breach might occur in the coming year. It's much like the actuarial calculations insurance companies use to compute your premiums.

For example, let's assume you have a Web site that does $2 million of business per day. The security assessment shows the site is vulnerable to a denial-of-service attack, which would result in a three-day outage, and there's a 60% likelihood of a successful attack occurring. The ALE is $2 million per day X three days X 60% = $3.6 million.

The security improvement costs $500,000 and will reduce the likelihood to 15% and the outage to one day. The improved ALE is $2 million per day X one day X 15% = $300,000. This yields a first-year return of $3.3 million ($3.6 million minus $300,000) from a $500,000 investment.

Now you've got all the raw ingredients for a successful business case. The next step is to let your IT finance person produce your company's standard ROI financial tables and then wrap the assessment summary, the security plan with its five-year TCO, the risk/solution matrix and the ROI calculations into the standard company format. Remember, you want the business case for security to look exactly like the business case for any other company investment.

Build a short PowerPoint presentation describing the highlights of your story. Stay high-level. If you get into the speeds and feeds, your audience's eyes will glaze over, and you'll lose credibility as a business person. Shop the PowerPoint pitch to each senior executive individually before your business case goes to the executive committee. Don't skip the CFO. Listen well and incorporate what you hear into the document. Now you're ready to take the business case to the executive committee.

Follow this formula, and your next problem will be figuring out how to spend the money.

Lewis, former CIO at InterContinental Hotels Group PLC, is head of The Edge Consulting Group LLC in Atlanta. He can be contacted at


A certain level of spending on security is required to reach the Prudent Zone, which varies by vertical industry.

The Security Continuum

Copyright © 2003 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon