As highlighted by a recent Ernst & Young survey – showing that 85% of respondents do not think information security professionals support business needs – there is a need to better define and articulate the business value of rigorous information security practices. The issue is one of communication. What may seem obvious to an information security practitioner may not be so clear to people working in other disciplines.
At Gartner, we advise IT leaders and security professionals to prepare four actionable steps that clearly and effectively communicate the business value of information security to internal teams and business leaders.
1. Develop a business value model (like Gartner's 4I Model) that outlines expected business values in a consistent format
The Gartner 4I model describes four dimensions against which the business value of investing in strategic information security activities can be captured and communicated in a concise format:
- Investment — Captures the expected returns, the value of which can typically be expressed in terms of expected financial returns, brand enhancement, competitive differentiation or future agility;
- Integrity — Emphasises the impact of the reliability and availability of daily business operations. Benefits are manifested as continuous improvements in the confidentiality, availability and accuracy of business information and processes;
- Insurance and assurance — Addresses the risk management benefits. Increased insight into information risk factors results in more effective risk identification and management;
- Indemnity — Highlights the compliance benefits of limiting regulatory and stakeholder exposure, resulting from the improved awareness, accountability and stakeholder support that stem from information security initiatives.
2. Identify business drivers relevant to your organisation and extrapolate the actions (projects and initiatives) required to address those business drivers. Map the recommended actions and drivers to the business values articulated in the 4I model
To truly demonstrate value, the valid but generic benefits outlined in the 4I model must be directly related to the situation within the organisation. It is important to capture the existing business drivers from strategic business plans and executive communications, annual reports and interviews with senior executives.
Typical drivers that can be supported with information security initiatives include: brand protection, business process availability, business continuity and so on. Linking these drivers to specific actions (such as implementing a data leakage prevention solution) and value dimensions builds a logical, coherent justification. It explicitly links the recommended projects ("what") to the specific business drivers ("why") and the associated value dimension ("expected outcome").
3. Communicate the proposed actions (with their expected costs), the relevant business drivers and the expected business values
The business value must then be communicated in a way that will be accepted and assimilated by the intended audience. It is worthwhile spending time researching the preferred communication methods of target executives. Some may prefer formal presentations; others prefer reports or face-to-face discussions. Tailoring the message to the audience will ensure that it is heard all the more clearly.
4. Provide feedback to executives on the benefits that are realised (and those that are not)
The effectiveness of communication is also contingent upon credibility. For example, when the security team does a good job, many in the organisation are unaware of it, because publicity for the security team tends to stem from security incidents rather than from business as usual. A key component of maintaining credibility with executives is to provide continuous, honest feedback about security activities and achievements — specifically, comparing actual results with expected benefits.
Tom Scholtz is a vice-president and distinguished analyst at Gartner