I sometimes wonder what it is that makes otherwise rational security folk seem to ignore the most fundamental aspect of any corporate IT security strategy when they convene to talk , discuss and architect the why, how and where security fits into the corporate scheme of things, writes independent security strategist and business consultant Steve Maslin.
The number one question to be asked and answered is, how can security attract and deliver increased business value, and what metrics are in place to measure this increased value?
The bottom line is that it is all about the bottom line.
There are two fundamental commercial dimensions to introducing most security measures and strategy. One aspect is to increase profitability and second to reduce cost. If you can deliver both simultaneously then it is truly an exceptional and worthy goal.
I can hear all the purists talking about how security is so much more, and of course they are right in the bigger scheme of things, but at board level, looking at the infinite horizon and business longevity, the only thing worthy of substantial investment of time or money is improving the balance sheet, no more no less.
We can pretend there are a thousand other good intentions and motives, but never ignore the elephant in the room.
Security professionals must take time to evaluate and communicate just how the introduction of any security measure positively impacts the business fiscals, for both customers and the business. If we are not communicating exactly where a particular element of security increases commercial benefit and how this can be measured and monitored over a specific time period, then our argument for gaining increased mindshare and approval is flawed, with a significantly reduced chance of success.
The key commercial aspects when developing any internal or external security driven strategy and ambition are:
- How does it explicitly, implicitly and specifically create advantage?
- How does it financially and measurably benefit the business?
- How exactly does it introduce positive impact and where?
- What absolute and measurable fiscal benefits are delivered and over what time period?
- Why wouldn't you do this?
The answers to these questions provide the fuel for the vehicle that is going to prove best business and customer value to any organisation and provide the gateway to approval from every security stakeholder.
Here is a quick tick list of some factors to be considered:
- State the issue - be concise and blunt
- Calculate the current total cost of ownership versus the proposed TCO (where appropriate)
- Calculate and compute the qualitative and quantitative values that adoption of the new investment would bring to the client business. Interpret into clear and measurable fiscal terms
- Calculate return on investment and payback period. Prepare a projection forecast of what the investment would deliver in terms of expanded business profitability and benefit.
- State total economic impact - wrap up every factor, including risk reduction, flexibility of system, costs, TCO and payback period
- Compare and state the options of investing versus the status quo. Include risk analysis. The argument should be obvious and unequivocal. Explain precisely why the business should not invest time, effort and money elsewhere.
This was first published in September 2009