With the number of breaches increasing across all industries and with increased media coverage, organizations are definitely getting more aware about importance of information security. However, the risk based approach of selling security can get us only a limited attention, money and respect within an organization.
The most common way information security is looked at in the organizations is that “IS is a cost center” – with no direct or obvious business benefits, and until we as Information Security professionals keep that impression, we will always be competing with business priorities that directly save costs, or directly enable business, or directly making our operations more efficient or contribute to business compliance or mandates.
On the other hand some IS organizations have taken this extreme approach about translating every information security risk into cost savings, to an extent where it becomes a real stretch to the point that a risk loses its context and nobody buys that to be a real cost saver. E.g. our typical risk formula : likelihood(vague)* impact(vague), then convert it into $(more vague) and sell it to your business to get you more money!
Compare these two scenarios:
Scenario 1: An IT team or business team goes to a C-Level Exec identifies a pain point and offers a solution. We have observed that our customer wait times are 20-30 minutes. Each customer service reps spend 25 minutes to enroll a customer to our service offering, if we went with another software it will take us 10 minutes to enroll each customer.
The cost of new software is $100k and our customer wait times can be reduced to 2 minutes. Now trying to understand the way exec interprets this proposal – he was presented an existing pain point, presented a solution along with associated cost, which directly alleviates the pain point related to customer service, customer experience and further potentially improve customer retention and growth.
Scenario 2: Information Security team goes to a C-Level Exec and communicates risks identified in the organization, and says to alleviate this high authentication control risk you need to spend $100k, if you don’t spend $100k you’re going to incur losses of $ 1 million because likelihood of this happening is medium and impact is high. Again trying to understand how an exec interprets this proposal.
The exec may think “this risk has not been exploited in my organization for past ten years even though it has existed in my organization, the likelihood is again a medium not high and the impact is the worst case scenario even if all of this happened and was not contained or detected in time.”
Everything here is anticipated or vague and based on worst case scenarios for an identified risk. One of the most interesting response I got from one of the execs I have worked in the past is: “How do you think, I have made it so far in my career ? I have taken risks all along, what makes this risk so special”.
If the exec has 100k of budget, which 100k scenario of the above 2 he or she is likely to approve? My guess would be the exec says lets go with scenario 1 for now since it directly relates to customer growth, operational efficiency and customer experience. And revisit scenario 2 in 6 months. Overall the likelihood of the scenario 2 to be funded also goes to medium or below, for every subsequent cycle.
How can we change this risk focused security selling to mutual business benefit selling approach? Since now our uber-formula of likelihood * impact is not getting us any dollars. The idea is not to belittle this risk calculation formula but to understand how to apply it and picking the appropriate audience for it. With that said, let’s understand the goals of different organizations within an enterprise.
For a CIO organization that is responsible for operations, it is all about availability, operational efficiency etc. For CTO organization, it is all about building new technical capabilities to support new business processes, faster time to market etc. For CFO organization, it is all about saving costs.
For a customer service organization, it is all about customer growth, customer experience and customer retention. For a compliance organization, it is all about tracking new compliance directives and ensuring compliance. Notice, for any of these organizations if you talk about security risks, you are completely missing the point of what they care about on a day to day basis.
In essence, the idea is information security risks should be geeked out and presented within the security organization as they are the right audience for it. Once you go out of your organization, to ask for money or support from different organizations within the enterprise you should translate the benefits of the proposed security solution in the context of the individual organization’s objectives. Let us walk through some examples:
From scenario 2 a proposed enterprise authentication solution due to multiple authentication controls risks – you could muster support of different organization in following ways:
- Identify business process pain points and map them to how the authentication solution will reduce sign-on’s for operations team and customer reps improving operational efficiency and customer experience
- Identify areas which have compliance gaps, or require too much effort to measure or monitor compliance and map them to the authentication solution solving these problems.
- Identify existing silo-ed authentication control technology implementations, along with their associated processes and people within the enterprise and how your authentication solution could consolidate people process and technology and save costs, time & labor.
- Identify current business process pain points for integrating our technical systems with partners, customers, subsidiaries etc. and how they could be alleviated to enable business through industry standard identity federation solution that offers faster and streamlined integration.
- Further you could don a business strategy hat and illustrate how your authentication solution could enable specific strategic business use case that the business wants to enable in near future e.g. mobile apps, social networks etc.
- Last but not the least; show how your authentication solution could solve multiple identified authentication security risks.
Now if you go replay the scenario 2 with above metrics, it is a much easier decision for the exec to fund your proposed $100k budget. The proposal presents very specific pain points, very specific benefits, and ROI. The key aspect to keep in mind here is ROI does not have to be always cost in dollars, it could be cost in time, cost in compliance, cost in customer experience, faster time to market etc.
The more direct and contextual the benefits are the more plausible your business case becomes. The context helps get the right non-security organization back you up due to mutual benefits offered by the proposed solution, to alleviate existing business process pain points.
Now you are moving towards a culture where the enterprise has started recognizing information security as a business enabler and not just as a cost center.
About the Author: Kapil Assudani (@kapslock) has more than 11 years of experience in multiple security roles as a “Breaker” and “Builder”. After starting his career in network and application penetrating testing for fortune 100 clients as a breaker, Kapil moved onto the builder”side of Information Security, and has since provided consulting on technical architecture lock-downs, building enterprise security solutions like SIEM, PKI, and Web Authentication/Authorization, etc. Kapil has extensive experience in designing and executing information security risk management technical control frameworks, enterprise security architecture and strategy. Currently Kapil is leading the “Technical Security Services” Risk Management Program at one of the country’s largest private health insurers in a Senior Manager role, and is responsible for the execution of a $30 million dollar security capability roadmap.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Attacking the ROI of Advanced Persistent Threats
- Governance: Understanding Where You Are and What is Important
- 4 Clues to Get Executive Support for Information Security
- Dealing With Unrealistic Security Expectations from the Executive Office
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock