Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/27/2016
10:30 AM
Yoran Sirkis
Yoran Sirkis
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The ROI Of Infosec: 11 Dos and Don’ts For Management Buy In

The case for a bigger bottom line depends on how well you argue that the business can't run without a specific level of security infrastructure.

Selling IT security up the ladder isn’t as hard as it used to be but it still isn’t the easiest thing to do. Budgets are always squeezed, and you’re constantly asked to do more with less. Security managers need to prove that the company is better off with a tight, streamline security infrastructure in place across all aspects of the organization -- a daunting challenge.

Your best strategy is to show that information security is a critical part of your company’s everyday business process. Demonstrating the return on your information security investment can go a long way towards helping your cause. Here are a 11 points to take to the C-suite and boardroom.

  1. Do make it personal. It’s critical that CEOs and board members grasp the fact that they can be held criminally liable when something goes wrong – and things always go wrong; myriad attacks on your system occur every hour, at minimum. Only the damages vary. Systems and forensics must be in place demonstrating that everyone did their utmost to secure the information.
  2. Do speak the same language. Listen and pay attention to how the CEO positions her priorities and requests. Mirror that language when you approach her.
  3. Do offer a comprehensive view of corporate vulnerability. Data today is everywhere – network, cloud, mobile devices, remote employees, third party partners and service providers, etc. Clearly explain that security resources must be decentralized and cover everything If you protect your information in one area only, the attacker will find the weakest link and use that to reach everything.
  4. Don’t portray IT security as a “complication.” Stress that while security is largely invisible, it is also a business enabler. Demonstrate how IT security facilitates operations, for example, policies within a classification system can ensure that everyone in the accounting department can access certain files and folders automatically without having to make change requests.
  5. Do tie data security classification to expenses. A company’s ability able to find and classify the data will determine how it should be stored and the level of protection it requires. You may end up with a list that shows that only 10% of corporate data needs to be protected at the highest level, immediately reducing operating expenses and longer-term capital expenses.
  6. Do more than simply present the CEO with a list of security vulnerabilities. Explain  the consequences of the vulns, in terms of legal issues, damage to reputation, fines, etc.
  7. Don’t ignore the bottom line. You can  demonstrate the actual cost of security breaches with a quick Google search for recent examples. Here’s one at our fingertips: Target settled for $39 million to pay financial institutions affected by its breach.
  8. Do remind upper management of your company’s legal obligations and how they are affected by security breaches. For example, your company probably agreed to multiple NDAs before business partners agreed to send you proprietary information. Should an outsider access that information from your internal systems, you’ve basically voided the NDA, opening you up to legal action.
  9. Do review the statutes. Most companies are either obligated to follow SOX, PCI-DSS, NASD, SEC or other regulatory bodies. Compliance audits are a regular occurrence, and it is cheaper and easier to be in continual compliance than have to make corrections to integral corporate systems once you’ve failed the audit and are liable for massive fines. (Another ROI feature.)
  10. Do create alliances within your organization to present “group” priorities. Pay particular attention to the corporate risk management team.
  11. Do explain how data security is a critical part of supporting the employee relationship. Employers have access to employees’ healthcare records and personal family information, etc. If they become part of the public record it is a significant breach of trust. Employees can also sue you for putting them at risk of identity theft.

At the end of the day, security needs to be a significant part of the IT budget. You’ve got your wish list, and you have your actual priorities. You need to determine where the dollars will be best spent – and then make your case. How much you get for your department’s bottom line depends on how well you demonstrate that the business cannot run without a specific level of security infrastructure.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Yoran Sirkis is a seasoned senior executive with deep domain expertise in information security and well-rounded experience in leadership, business development, professional services, consulting, customer management, and international management. Yoran served as a managing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 1:50:57 PM
Don’t portray IT security as a “complication.”
It's important to understand that the business is the main reason as to why you need to successfully implement security. Without it, there would be none to implement. I always prefer to say that its not security vs functionality, its more like security to complement functionality.
ivadumont
50%
50%
ivadumont,
User Rank: Apprentice
2/28/2016 | 5:19:16 PM
Re: #8The ROI Of Infosec: 11 Dos and Don’ts For Management Buy In
I really think that everybody don't have the same view. But for this case most of us will convey that security is an important part.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2016 | 5:28:58 PM
#8
I'd reword #8, though the point is well taken.  Executives hate to be "reminded of" legal details and compliance obligations.  Rather, they prefer to view legal and compliance issues as a matter of risk management.  Present things that way and you're much more likely to at least get informed action.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...