I sometimes wonder what it is that makes otherwise rational
security folk seem to ignore the most fundamental aspect of any
corporate IT security strategy when they convene to talk , discuss
and architect the why, how and where security fits into the
corporate scheme of things,writes independent security
strategist and business consultant Steve Maslin.
The number one question to be asked and answered is, how can
security attract and deliver increased business value, and what
metrics are in place to measure this increased value?
The bottom line is that it is all about the bottom line.
There are two fundamental commercial dimensions to introducing
most security measures and strategy. One aspect is to increase
profitability and second to reduce cost. If you can deliver both
simultaneously then it is truly an exceptional and worthy goal.
I can hear all the purists talking about how security is so much
more, and of course they are right in the bigger scheme of things,
but at board level, looking at the infinite horizon and business
longevity, the only thing worthy of substantial investment of time
or money is improving the balance sheet, no more no less.
We can pretend there are a thousand other good intentions and
motives, but never ignore the elephant in the room.
Security professionals must take time to evaluate and
communicate just how the introduction of any security measure
positively impacts the business fiscals, for both customers and the
business. If we are not communicating exactly where a particular
element of security increases commercial benefit and how this can
be measured and monitored over a specific time period, then our
argument for gaining increased mindshare and approval is flawed,
with a significantly reduced chance of success.
The key commercial aspects when developing any internal or
external security driven strategy and ambition are:
- How does it explicitly, implicitly and specifically create
advantage?
- How does it financially and measurably benefit the
business?
- How exactly does it introduce positive impact and where?
- What absolute and measurable fiscal benefits are delivered and
over what time period?
- Why wouldn't you do this?
The answers to these questions provide the fuel for the vehicle
that is going to prove best business and customer value to any
organisation and provide the gateway to approval from every
security stakeholder.
Here is a quick tick list of some factors to be considered:
- State the issue - be concise and blunt
- Calculate the current total cost of ownership versus the
proposed TCO (where appropriate)
- Calculate and compute the qualitative and quantitative values
that adoption of the new investment would bring to the client
business. Interpret into clear and measurable fiscal terms
- Calculate return on investment and payback period. Prepare a
projection forecast of what the investment would deliver in terms
of expanded business profitability and benefit.
- State total economic impact - wrap up every factor, including
risk reduction, flexibility of system, costs, TCO and payback
period
- Compare and state the options of investing versus the status
quo. Include risk analysis. The argument should be obvious and
unequivocal. Explain precisely why the business should not invest
time, effort and money elsewhere.
Security Zone: read more advice from (ISC)2 qualified security
professionals >>