And yet, as Xerox Chief Security Officer Audrey Pantas says, "you never get as much you'd like -- you could always do more." And that sums up the mind-set surrounding IT security at corporations today: No matter how much money you pour into it, you'll always need to go back to the well.
With growing threats, increased regulations and plenty of media coverage when incidents do occur, executives have never been more aware of the importance of IT security. At the same time, spending fatigue may be creeping into the boardroom, as CXOs increasingly look for the business value earned on the security dollars spent.
"Senior management knows there's a problem, but it seems that every day the problem gets worse, and it's like there's no end in sight," says Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium, an IT consultancy in Arlington, Mass. "There's the feeling that they could give security every single penny and it still wouldn't be enough."
To keep the security budget from looking like a black hole, you need to articulate the value of the money being spent. Here are some do's and don'ts for doing just that.
Don't Use Scare Tactics
Every day, it seems, a story emerges about a backup-tape theft or compromised customer data. But don't overuse these incidents when seeking to justify your funding requests. "CXOs can become desensitized or jaded if they hear too much about reports that they don't think affect them," says Christopher Bomar, founder of Boomarang LLC, an online data-backup service firm in Cincinnati.
"FUD has been used up," agrees Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference (McGraw-Hill Osborne Media, 2003). "So many people have cried wolf that executives are inured to scary stories."
You might, however, consider using recent security incidents to shed light on your company's needs. For instance, you can send out regular e-mails that put news stories into perspective and show how they apply -- or don't -- to your business, says Bob Dehnhardt, network and information security manager at TriNet, a human resources services firm in San Leandro, Calif. "You can use these incidents as an opening, but back them up with a strong business case," he says.
For instance, when a report comes out about backup tapes being stolen, point out what happened to the company's stock price on the day the story broke, says Gary McGraw, chief technology officer at security consultancy Cigital Inc. and author of Software Security: Building Security In (Addison-Wesley Professional, 2006) .
Do Use Horizon Planning
Instead of asking for funding several times a year, project the security costs that need to be incurred over a 12-to-24-month time horizon, Rhodes-Ousley says. "CXOs can swallow that more easily," he says. "If you say you need certain things next year, you can get funding more easily than saying you need something now."
At Xerox, Pantas develops a three-to-four-year strategic plan for the company's security efforts and then prioritizes which of those projects to pursue in the ensuing year. "I do work off an overall strategic plan on where we want to take security," she says.
Do Let the CXO Define Acceptable Risk
Business executives deal with risk all the time, so before forking over money for protecting corporate systems and data, they first want to know the degree of legal, financial, operational and strategic risk they're facing. Only then can they decide how much they need to mitigate their exposure and, thus, how much they want to spend.
"If the CIO is bringing concrete evidence of exposure, liability and even an actual incident, the discussion changes from 'Should we do this?' to 'How much would it cost to make this go away?'" Bomar says.
When you present this information, give the executives an array of choices with different levels of protection -- like they'd get when choosing an insurance plan, Charette says. "Let them understand what's at risk and then let them choose how much they want to cover themselves," he says.
Doug Lewis, a former CIO and a senior partner at The Edge Consulting Group LLC in Atlanta, calls this "finding the prudent zone." He recommends adding up how much it would cost to improve security and then plotting the range of spending options on a chart. On one side of the chart is the "danger zone," where security is insufficient, and on the other is the "ridiculous zone," where the company is overspending. Somewhere in the middle, he says, is the prudent zone, which will vary depending on your industry and security risks.
"You have to explain that if you're manufacturing talcum powder, you're probably not a big target for intellectual property theft, compared to a health care firm or a bank," Lewis says. "You have to take a balanced, prudent view and not overbill the case."
Do Use Business Language
When you live and breathe security, it's easy to be passionate about things like the difference between intrusion protection and intrusion detection. But don't bring that talk into a board meeting. "You have to explain yourself in human-readable terms," Lewis says. "What the CEO wants to know is, 'Am I being protected at a prudent level, and if not, what do I need to do to get there?'"
When Pantas discusses the importance of avoiding vulnerability in software code, for instance, she doesn't go off on a tangent about not doing cross-site scripting, she says.
So instead of saying things like "threat detection," "encryption" and "data protection," use terms like, "exposure," "indemnity," "protecting the brand" and "effect on market cap," says Tom Scholtz, an analyst at Gartner Inc.
For instance, if your company just launched a branding campaign for its product or service, brand protection is a relevant justification for security spending. "You say, 'You guys spent US$200 million last year on branding your credit card as the cool card to carry around, and one story in The Wall Street Journal can bring that all tumbling down,' " McGraw says. "Then, if someone says, 'Why did we install that expensive apparatus?' you can say, 'Because we're protecting the brand.'"
And you had better be able to state your case in an "elevator speech" -- a concise, compelling argument that can be made in less than a minute. "What's that one message?" Charette says. "They don't care about the different levels of encryption -- they care about the harm it will keep the company from suffering and how much it's exposed in the different scenarios."
Don't Use ROI Arguments
Investing in security rarely yields a return on investment, so promising an ROI will sound ill-informed to a senior executive. "You really have to talk about it from an insurance perspective," Pantas says. "It's more about cost avoidance or cost of compliance; there's very little in what we do that's relative to gaining ROI."
It's possible to discuss other benefits of security spending, such as protecting the company's ability to generate revenue, keep market share or retain its reputation. But ROI relates to expanding revenue and profits, "and security isn't about that," Charette says. "Trying to sell it as if it's a revenue generator is a good way to have the board say, 'Are you nuts?'"
Do Report on Benefits From Past Spending
Before asking for more security funding, make sure you close the loop on your previous spending by regularly updating executives on the results of those efforts. This means regularly measuring things like how many malicious attempts were stopped at the firewall or how quickly incidents were resolved and summarizing this data in a meaningful way.
Pantas has her team conduct regular audits on network attacks, providing her not only with an idea of where vulnerabilities continue to exist but also with a record of improvement over time.
"After you've invested in new security technology, you need to come back six months later and show what you've achieved and how it squares up with what you intended to achieve," Scholtz says.
You also need metrics to show that it's good when nothing happens, McGraw says. For instance, following a worm outbreak, use network-activity reporting to show that you had the proper protective measures in place. Otherwise, you can fall into the chicken-and-egg trap, where people begin wondering why you have to keep investing in security when nothing bad ever happens.
McGraw also cautions against getting too granular in your reporting efforts. "They don't want to see your firewall logs or the number of virus scans or something geeky that you have to explain in three paragraphs," he says. "What they want to know is they invested $10 million in this product line and it's not going to be hacked on the first day."
Unfortunately, the most reliable way to ensure security funding is through regulation, "and that's a shame," Rhodes-Ousley laments. "Businesses simply won't do the right thing, such as protecting customer identities and private information, if they're not required to." The best thing to do in those instances, Scholtz says, is to partner with the internal compliance organization. "Complying with regulations has very direct consequences for information security and IT," he says. "But it's really the business that needs to make the risk-based decision on what they're going to do."
Brandel is a Computerworld contributing writer. Contact her at marybrandel@verizon.net.
SIDEBAR
Regulatory driver
There's nothing like a regulation to help justify security expenditures. Nothing shapes a funding argument quite so well as the threat of fines, jail or marred reputation resulting from regulatory noncompliance.
However, IT has to be careful about how hard and how often it pushes the compliance button. One reason is that organizations are increasingly appointing people specifically for that job, and IT should work with them -- as well as with the legal department, auditing and internal risk management -- and base security investments on the decisions that come out of those bodies.
"I've had feedback that it sometimes looks like IT or the security department is the tail trying to wag the compliance dog," says Tom Scholtz, an analyst at Gartner . "IT should be a key partner but shouldn't hijack the debate and lead the effort." In particular, Scholtz warns, don't use compliance as an excuse for security projects that otherwise wouldn't have been justified.
In other words, "coordinate but don't duplicate," according to Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium.
At the same time, it can be frustrating to stand by and watch as your company refuses to make investments in securing areas that aren't regulated. "I have designed security for dozens of companies, and none of them have ever secured anything they didn't absolutely have to, especially customer data," says Mark Rhodes-Ousley, an information security architect. "Even the simple precaution of encryption is almost never practiced."
With the possibility of regulations requiring encryption on hard drives looming on the horizon, Rhodes-Ousley is starting to see companies deploy encryption on their endpoint workstations. "This is only a beginning, but I'm hopeful," he says.
"It shouldn't take a federal law to make a company start caring about how the personal information that they've been trusted with is being handled," says Christopher Bomar, founder of Boomarang. "But unfortunately, that's how companies are operating now as a majority."