As dismal as your prospects may seem when you’re staring at an anemic budget, all is not lost. The magazine asked a group of security officers from several industries to share their advice on how to make business executives acknowledge security risks–and loosen the purse strings.
Sometimes you have to twist arms to get what you want. Or at least that’s the belief held by the director of security at a $5 billion manufacturing giant we’ll call “Company X.” The security officer, who asked not to be identified, has business-unit managers sign “risk-acceptance sheets” if they balk at covering vulnerabilities the officer identifies in their departments. If data is violated or uptime disrupted, the unit manager has already taken responsibility in writing. Of course, not every security chief has that kind of bargaining power. But getting funds for security initiatives is an expertise security pros must master to be successful. It is, after all, much better to procure funds in advance than to wait until after a security incident. Their secrets to success vary, but according to security experts two things remain constant: They demonstrate security technology in the context of regulatory priorities and construct pro-deployment cases that largely circumvent conventional ROI considerations.
Regulations
Unfortunately, many organizations don’t take the time to make risk assessments rationally when choosing security deployments, says Fred Cohen, principal analyst at the Burton Group. Instead, an increasingly stringent regulatory environment drives most security decisions. Security IT is learning to get funds by linking security expenditures to regulatory imperatives, such as Sarbanes-Oxley compliance, Cohen says.
Use regulatory changes to point out opportunities for increasing security in other areas of the business. If possible, use tangible evidence to prove a security risk. Use layman’s terms, and don’t inundate them with information. Follow the examples set by successful non-IT managers who consistently get their expenses approved. Have your requests coincide with a fortuitous time of the fiscal year to increase the odds that funds will be available.
A little networking with the people who hold the purse strings can help your cause.
Compliance concerns are leverage for security chiefs even in low-margin businesses. Solectron, an $11.6 billion company that provides electronics manufacturing services on a contract basis, must assure its clients that it has adequate disaster-recovery and other controls, which can have implications for the clients’ Sarbanes-Oxley compliance requirements.
Dennis Kavanaugh, Solectron’s director of architecture and risk management, says regulatory pressure has given him a bit more autonomy. He seizes opportunities to demonstrate how he can improve security whenever he’s discussing compliance controls with his CFO. Risks that haven’t actually materialized often will be pushed to the background in deference to some other regulatory mandate, Kavanaugh says. But he has success when he proposes smart spending without becoming overly aggressive. “Don’t be a kid in a candy shop, but take the opportunity to make practical, rational decisions,” Kavanaugh says. “You make the regulatory push, you tie it to the business, you maybe show some soft returns.”
Security technology doesn’t necessarily fit the conventional ROI models that support other IT investments. When return is quantifiable, it often involves lengthy research on factors, including how much time individual employees spend performing specific activities, and tying labor costs back to security tools, says Mike Griffin, SVP and director of information technology at PlainsCapital Bank. Such awkward quantifiers require security supervisors to get buy-in through strategies and skills unrelated to ROI.
Even ROSI (return on security investment) determinations produce only hypothetical numbers in case of an attack or other security violation. Such calculations look at current risk levels, quantify the cost of data loss or system downtime and build arguments for improving defenses based on those numbers.
Privately held PlainsCapital must comply with the GLBA (Gramm-Leach-Bliley Act), which requires provisions for protecting consumers’ personal financial information. The bank uses intrusion-protection technology, a virus-scanning system on its e-mail server and a spam filter for catching viruses. But for two years Griffin couldn’t secure funding for content-filtering technology to detect spyware. Things changed when a high-level PlainsCapital executive received an unsolicited fax that included a link to a pornographic Web site. When the executive realized anyone at the bank could access such sites from work, Griffin got $20,000 to buy content-management software from BlueCoat Systems.
“You want to be able to say, ‘Here’s your weakness, and here’s your proof,’ ” Griffin says. If PlainsCapital hadn’t been able to report which employees were accessing which Web sites and could be affected by spyware, it could have exposed itself to GLBA violations and penalties without knowing it. Griffin tries to make things simple when attempting to convince executives of the bank’s security risks. For instance, he’s effectively used simple graphs to show the volume of incoming spam, instead of delivering a broad-based report.
When it comes to making presentations to non-IT executives, directness and brevity are keys to success, says Margarita Muratova, who manages database security as SQL Server administrator for Canadian accounting firm RSM Richter. Muratova recommends presenting two or three product options with a broad price range and limiting all proposals to one or two pages.
Business executives tend to be very “siloed” in their knowledge, says the director of security at Company X. As a result, they often have difficulty understanding the interdependencies between business processes and IT. Few people can fully grasp the relationship among physical security tools, how they’re configured and what they protect. “You shouldn’t have to build a watch to tell time,” the security director says. He creates a “risk meter” by boiling risk assessments down to three levels: the business unit affected; the application software in question; and the platform, such as NT or Unix. “Demonstrating ROI will usually be impossible,” he says.
Foundstone’s vulnerability-management software scores the risk factor of enterprise systems by examining their position on the network, business function and known threats.
Risk Management
Other security pros advocate a thorough risk-assessment picture. Davi Ottenheimer, director of information security at boating supplies retailer West Marine, tries to link assets analytically with threats and present that information to business managers in the context of helping them perform their jobs better.
Vulnerability is an inexact metric, but it can comprise exposure to known viruses and how widely data can be accessed by personnel. “You want to help them do their jobs well.”
RSM Richter’s Muratova also stresses the importance of timing technology requests to coincide with a fortuitous time of the fiscal year, including both quarterly and annual budget-planning cycles. She recently wanted to expand the deployment to include a module that would give her a better view of which employees are selecting individual data records, but decided to hold off on pitching the module to her CFO and accounting partner committee until the fiscal year rolled around, freeing up a little more money.
http://www.securitypipeline.com/163105337