If you are an information security professional, you have probably been frustrated numerous times because your executives simply couldn’t understand why they should listen to you. But is the problem in them, or is it you?
Think in terms of business benefits
From my experience, the main problem is not that your top management is lacking the necessary mental capabilities; rather, it’s that they don’t see any business benefit in information security.
Why are these benefits so crucial? Because this is the only way to get their attention – otherwise, they will perceive your suggestions (or even worse – proposals for investment) as something that is not really necessary for their company.
Further, you have to make sure these benefits are presented from a business point of view, not from a security or IT point of view. For example, speaking about buying a new firewall doesn’t seem very appealing to executives, but speaking about decreasing the cost of incidents certainly does.
According to what I have learned through experience, the benefits from information security usually come down to these four: compliance, marketing edge, decreasing costs, and optimizing business processes. Every one of these potential benefits might not apply to your company, but it is important that you find at least one that would make a difference for your business. Here’s a detailed explanation of each:
If you have identified any kind of law or regulation, or a contractual requirement related to information security, you can tout your cybersecurity project as meeting compliance with all the identified requirements. So, the main benefit would be that this kind of a project will give you peace of mind that you didn’t omit any piece of the puzzle, so that you will avoid paying any penalties.
Furthermore, if you choose the framework for the cybersecurity implementation wisely, you will spend far less time implementing all the safeguards as opposed to if you didn’t have such a systematic approach.
Unless you are selling some kind of information security tools or consulting services, at first glance information security and marketing do not seem to have much in common. However, you need to show third parties – such as clients – that you can handle their information safely.
This can be done through the certification process – most widespread certificates for organizations are ISO 27001 and PCI DSS. In some situations you don’t need a certificate – if you have larger clients you can simply ask them to send an audit team to check if your level of security is satisfactory.
This can be a sales tool to help your company gain new clients because you can prove to your potential customers that you will protect their information better than your competitors.
This also means that your chances of retaining existing customers will be higher because you can prove to them you are a more secure option than the other companies that are trying to earn their business. And the investment in the information security is usually far less than the potential profit from these customers.
Decreasing the costs
The underlying philosophy of information security is the prevention; you invest now in order to save money later. You can also consider information security to be your insurance policy; you pay now in order to avoid the consequences of some damaging incident later.
The main catch here is how to make sure that the investments in safeguards do not exceed the costs of the potential incidents that you prevent. In other words, the question is how to make sure you have a return on investment in cybersecurity. This is where the concept of risk management is utilized: let’s imagine that you want to calculate the ROI on mitigating the risk of fire in your data center.
For instance, if your data center gets destroyed in a fire and the cost to become operational again is estimated to be $2 million including all related costs and the damage, and the odds of this kind of occurrence are rated at once in 100 years; your annualized risk is $20,000 ($2 million multiplied by 1%). This means that as long as your investment in fire suppression systems is less than $20,000 annually, you should make a profit.
Now, you might be thinking that predicting the likelihood and total cost of damage is impossible, and you are probably right. Unless you have precise statistical data, calculating this type of risk can be difficult, but the point is that you can show how an investment in information security is profitable when done wisely and with a good measure. (You can use this Return on Security Investment Calculator to help you estimate your risks, damage, and mitigation costs.)
Optimizing the business processes
Finding an organization where everything is running smoothly is rare, and even then the situation is usually temporary. In fact, chances are that the companies who didn’t set their internal organization clearly will have higher cybersecurity risks. For example, in fast-growing IT companies the main problem is that they did not have time to sit back and think how to optimize their internal processes.
As a result, who needs to do what, who is authorized to make certain decisions, who is responsible for what, and so on are not very well defined. Commonly, the effect of such a situation is that employees are wasting their time filling in loopholes in the organization, robbing them of focusing on their own work.
Information security is very often nothing else but clearly defining working procedures, so as a byproduct of cybersecurity implementation you will have a much more organized company. Security is primarily the product of well-defined processes, and since security is present in all areas of your organization, this sorting out of your business will cover a much wider area than the security processes only.
How to determine the benefits?
The best option would be to fit one or more of these benefits into your company strategy – if you could find a link between the cybersecurity benefits and your strategic objectives, then you would hit the target dead center. This might seem like a longshot at first glance, but with careful thinking this is not such an impossible task. Frequently, a brainstorming session will produce this kind of a link.
On a personal side, defining benefits that would fit certain key players in a company is vital. For example, your sales manager might initially oppose the idea of information security because of a possible slowdown of sales operations.
However, if you explain to him or her that an increased level of information security will mean that the competition will not be able to access confidential information (such as details of your proposals) while in the phase of negotiating with a new client, you will probably get an enthusiastic commitment.
But, let me also mention here that you will not be able to figure out the benefits to everyone on your own. Finding out the benefits will most probably have to include members of your top management, as well as employees from various parts of your organization and from various levels in the hierarchy. This is an ongoing process, not a decision that is made at one point in time.
So, to conclude – your executives, as well as your other colleagues, have to focus on lots of other issues and have very little time or interest in information security. So you have to help them – start thinking in terms of business benefits, start using business terminology, and start being a diplomat instead of a cybersecurity geek.
If you don’t do so, your information security efforts will be in vain.
About the Author: Dejan Kosutic is an expert in ISO 27001 and ISO 22301, leading international standards for information security and business continuity management. To get deeper insight on how to set the basics of information security, download this free book: 9 Steps to Cybersecurity.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Dejan Kosutic on Business Continuity and Disaster Preparedness
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- Dealing With Unrealistic Security Expectations from the Executive Office
- Do You Care About Due Care?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock