How often have your information security budget proposals been brushed aside or rejected outright by top management? This happens all the time in most organizations, as information security is invariably accorded low priority when it comes to releasing budgets or making investments.
It is an arduous task to convince management to sanction information security budgets. An additional hurdle arises from the fact that most security professionals have a technical background, and hence face difficulties in clearly explaining to executive management the need for information security budgets and investments.
Information security professionals must learn to be adept at educating senior management on desirable security objectives for the organization, and convincingly presenting key security risks. Here are a few pointers to help you obtain management sanction for your information security budgets.
1. Align information security to business
Aligning information security to strategic business objectives is essential for achieving effective security governance. It is a prerequisite to preparing meaningful information security budgets. To achieve this, try the following approach:
• Assess: Assess the current and future security requirements of your organization, using surveys, workshops and interviews with employees. This includes assessment of the people, processes, technical infrastructure and required security posture. Standard frameworks such as ISO27001 make the task of assessment easier.
• Analyze: Analyzing the information gathered from the assessment is pivotal. Key risks to the business should be analyzed and articulated. The gaps that become evident need to be mapped to compliance and regulation requirements for the business.
• Align: You can justify the information security budgets and deployment of security solutions as a means to fill the gaps and reduce risks to acceptable levels. Further, emphasize that security strategy should be dynamic and flexible enough to accommodate changes in the external environment as well as within the company.
• Communicate: Proper communication of key risks that impact the business is crucial. When drafting the presentation, make sure you highlight milestones in the security journey, mapped to the proposals made in the information security budget. Also draw management’s attention to the consequences of non-compliance to regulations. Articulate the information security budgets in financial terms, highlighting the current and future impact on the organization’s assets, liabilities, income and expenses.
For information security budgets, objectivity and quantification is important. However, senior management is not really interested in knowing if you have applied one hundred or one thousand patches on your network. But, speak of a million dollar loss due to system downtime, and they will sit up and listen keenly. Just don’t drown them in technical jargon, that’s all.
Quantifying risk is vital in today’s difficult times. By determining the estimated risk of loss before and after applying the security control, the value addition to the business is established.
There are various risk analysis methodologies available for quantifying risk when preparing the information security budgets. Take a simple example: If the server crashes once annually, the business would have to bear $10,000 loss due to one hour of downtime. However due to implementation of a control such as clustering, which could cost, say, $500, downtime is reduced or eliminated, thus potentially saving $9,500.
Calculating return on investment for security is always challenging, as loss of reputation or data breaches are often difficult to quantify. In such cases, ALE (annual loss expectancy) can be used to establish efficiency of security investment and justify information security budgets.
3. Regulations and compliance
Regulations and compliance requirements such as SOX, PCI-DSS, HIPPA, and so on, have given great impetus to information security objectives. Focusing on this aspect helps get the attention of senior management, and makes approval of information security budgets easier. Highlight the need for investing in controls to secure confidential data of customers in order to avoid hefty penalties, should any breach occur.
4. Management loves presentations
A professional presentation is vital in exhibiting and summarizing the security objectives and information security budgets. Take the time to train yourself in creating better presentations and improving your public speaking skills. Key risks, security objectives and milestones should be emphasized in the information security budget presentation.
5. Business justification
It is imperative for security professionals to spell out the business justification for security programs and objectives, making a watertight business case that ensures complete understanding and approval of the information security budgets by top management.