Published at SC Magazine at http://www.scmagazineuk.com/Tactics-Show-me-the-money/article/116053/
Looking for the board to invest in your security project? Learn to speak their language before you pitch, suggest Jessica Twentyman
Fear, uncertainty and doubt are not what they used to be. When it comes to persuading today's risk-savvy company directors to part with the cash needed to launch new IT security projects, scare tactics simply are not enough to win information security professionals a fair and proper hearing.
In fact, warns Ray Stanton, global head of BT's business continuity, security and governance practice, that approach is more likely to get them laughed out of the boardroom empty-handed.
“Senior executives don't want to be shown horror-story headlines, and they don't want to be told they could go to jail. They want to hear about risk and reward in hard, financial terms,” he says.
It sounds like a particularly gruelling appearance on TV's Dragon's Den, but this scenario may well become familiar to an increasing number of information security professionals. The pressure has never been greater for them to provide watertight justification for funding.
Meeting such demands, however, remains a daunting prospect for many, according to Donal Casey, a security consultant with systems integration company Morse. For a start, he points out, the business analysis skills required to construct a formal business plan are hardly part of the IT security manager's traditional portfolio. Nor do established measures of corporate risk and return on investment (ROI) translate well to the information security arena.
And it remains as taxing as ever to convince non-technical executives of the legitimate risk to business posed by vulnerabilities, he adds, let alone get them to see how those risks stack up against other threats to the business.
It is hardly surprising, then, that relatively few IT security projects are accompanied by a fully prepared, formal business case that includes projections of quantifiable benefits and ROI calculations. In fact, only 27 per cent of organisations say they always produce a formal business case to support IT security projects, according to the Information Security Breaches Survey 2008, conducted by management consultancy PricewaterhouseCoopers on behalf of the Department of Business, Enterprise and Regulatory Reform (BERR). A further 30 per cent claim they sometimes produce one.
But there is a lesson to be learned for the remaining 43 per cent of respondents: according to the survey, organisations that always prepare a formal business case tend to spend a greater proportion of their overall IT budget on security (between nine per cent and ten per cent on average), than those that do not bother (around five per cent). So how do information security professionals make a case that will win over those executives that hold the purse strings?
The secret of a successful business case for IT security spending is that it couches its request in the language of the boardroom, according to John Colley, former chief information security officer at Royal Bank of Scotland, now managing director of industry body (ISC)2.
A convincing case
“Senior decision-makers will be looking for evidence that you look beyond the four walls of your department. They want to see that you have aligned your request with the top-level objectives of the business and can demonstrate how your proposed project will support one – or more – of them,” he says.
“The most convincing business cases speak directly to the board,” agrees Alan Calder, consultant and author of IT Governance: a Manager's Guide to Information Security and BS7799/ISO17799. “The best way to achieve the right tone, style and terminology is to understand the culture of your business and adapt to it,” he says. “Take a good, hard look at business cases that have succeeded in your organisation in the past, from a range of different departments, to see what elements they have in common.”
But simply putting together the documentary elements of a business case isn't the hard part, he warns. “That's really just a process of identification: identifying a risk, what areas of the business it's likely to affect, what your options are for mitigating against it, and the risks, costs and benefits associated with those options” (see box). “It's time-consuming, because the paperwork needs to be thorough, but the real tricks lie elsewhere.”
These include things such as providing ROI calculations for the proposed deployment. “This is where many information security specialists get into trouble, because there's no obvious method for measuring the payback where a risk has been deferred,” says Calder.
In other words, the essence of ROI is the value received from a deployment or project, divided by the cost over a given time period. That leaves most IT security specialists puzzling over how to predictively quantify “value received” when it comes to protection against threats to the information architecture – especially when data about information breaches is notoriously unreliable.
Perhaps it is time to get away from misleading ROI calculations altogether. Tom Scholz, an analyst at Gartner, certainly believes so. He argues that rather than looking at misleading ROI calculations, security teams should rely on “clearly articulated, balanced value propositions”. “These are derived from expected benefits,” he explains, “ For example, secure collaboration, regulatory compliance, competitive differentiation, risk mitigation, improved accountability and reduced liability.”
The approach Scholz proposes works best in certain kinds of projects, where the financial consequences of expenditure can be determined fairly accurately, for example for the automation of repetitive or operational security tasks.
Preparing the ground
It's not just the business case documentation that information security professionals need to focus on, however. Even the best business case, supported by quantifiable information, will struggle if the sales skills of the proposing department are not up to scratch, warns Calder. “Once you master the art of selling security, it will work better than anything else to get information security initiatives passed,” he says.
That means preparing the ground for your pitch. “You can't go in cold – there's a certain amount of upfront lobbying to do,” advises Colley of (ISC)2. By meeting with individual decision-makers ahead of time, information security professionals get the opportunity to not only “pre-influence” them, but also hear and address their concerns in advance.
It may also be worth seeking out a regular “information security champion” on the board – someone who has much to lose if an information security breach was to occur – and work with them to raise their understanding of the issues.
Many information security professionals might seriously benefit from enrolling in a sales training course, says Morse's Casey. “Much of the certification that currently exists focuses exclusively on technical skills and not the skills needed by a business professional who wants to play a proactive part in delivering to business objectives,” he laments.
“There's no doubt in my mind that I need to work as an internal salesperson to the partnership,” agrees Jan Durant, IT director at law firm Lewis Silkin. “My project will be competing against other internal projects for funding, so it's in my best interests to be able to articulate its purpose and benefits.”
At senior levels, further business skills may be required, says Colley. (ISC)2 is currently looking at how it can extend its ISSMP (Information Systems Security Management Professional) qualification to incorporate more of the business aspects of the senior security role.
“I was speaking to a recruitment agent the other day, who told me that the best qualification for a top-level CISO is an MBA, and that struck a chord,” he says.
“You need a technical background, of course, but at senior levels, the job is far more about liaising with the business, understanding finance, managing budgets and presentation skills. These are things the ISSMP needs to incorporate.”
And it seems likely that many information security professionals would jump at the chance to acquire this kind of wider training, says Stanton of BT. “The message is becoming increasingly clear: if you can't monetise security, you can't engage your audience and it's the audience that pays the bills that you need to engage.”
CASE STUDY: LIVERPOOL WOMEN'S FOUNDATION TRUST
When it comes to presenting a business case to the board of the Liverpool Women's NHS Foundation Trust, preparation is everything for Dr Zafar Chaudry, director of information management and technology.
In part, that is because the board of directors is understandably “pretty challenging” when asked to fund information security projects using taxpayers' money, he says. Between them, the six executive and six non-executive directors have a wealth of experience in project management and delivery in both the public and private sectors. Several are accountants, and thus have a keen eye for spotting any flaws in financial justifications.
But above all, board members are extremely busy, and any time available to convince them of the need to invest is heavily constrained, says Chaudry. “We can't afford to waste that time with a business case that's rambling, inconclusive or baffles them with technical terms.”
For these reasons, he and his team never progress to building a business case unless they are convinced they have all the evidence they need. In the case of a recent investigation into whether the Liverpool Women's NHS Foundation Trust should implement single sign-on (SSO) technology, the research went on for months.
Clinical and non-clinical staff were surveyed to establish how they stored and remembered the user names and passwords associated with each application they used. Information governance spot-checks were carried out on PCs and laptops around the organisation to see whether users were logging off applications after use. Data was taken from the helpdesk to establish how much time was spent each day resetting passwords.
All the data was analysed to start constructing a business case. “With these kind of metrics at our disposal, we were able to provide headline figures on risks, costs and benefits that we knew would capture the attention of the board,” says Chaudry. “For example, we found that the amount of time spent by the helpdesk on resetting passwords was equivalent to one member of the IT support team, on a salary of around £20,000 per year,” he says.
The research also enabled Chaudry and his team to identify the methods staff used to circumvent security controls (for example, writing passwords on the back of identity badges), estimate the scope of these problems and assess the risk they posed in terms the board would appreciate.
Despite the hurdles, it's clear that Chaudry enjoys the challenge. “Every time, each member of the board is ready to attack us in a different way, so we need to be prepared to counter every attack with a reasoned argument,” he says. “It can be intense, but it's always interesting.”
BUSINESS CASE FUNDAMENTALS
What is a business case? Put simply, it's the first step in a capital planning and investment model, whether your organisation is considering building a new warehouse or installing a new firewall.
For information security projects, what is needed is a document that combines IT security issues, business objectives and financial management processes. It should help decision-makers understand the business value of a project, and offer a compelling argument to fund it.
Most organisations already have an agreed format, and this should be followed as closely as possible, says Alan Calder, consultant and author of IT Governance: a Manager's Guide to Information Security and BS7799/ISO17799.
The basic elements of a business case:
1. Project objectives
Describe the current situation and the IT security risk your proposed project will seek to mitigate. Be succinct, but include all the details that need to be considered; highlight the areas of business most affected by this risk and describe the likely impact if the risk were to manifest itself.
What are your options for controlling this risk? “If it's not possible to stop doing business in this area, then you need to take steps to reduce the risk to an acceptable level,” says Calder. Appropriate controls will involve changes in technology, procedure and behaviour. For each option, describe the project, including goals, timeframe and resources required.
3. Cost/benefit analysis
A cost/benefit analysis includes the cost of the project along with the benefits and any estimates at the return on investment (ROI). “You need to look not only at upfront costs for the security technology involved, but also the costs of implementing and maintaining it over its expected lifetime,” says Calder.
ROI calculations should be kept meaningful. For example, the ROI calculation for an access management implementation might go as follows: (Number of staff) x (Average time spent looking for user IDs per day/60 minutes) x (Average hourly salary) = lost revenue per day.
4. Risk assessment
Every project comes with risks, so show these have been considered and that plans are in place to mitigate against them. “I always like to include some description of the factors that might cause overruns in time and cost, for example,” says Jane Durant, IT director at law firm Lewis Silkin.
5. Conclusion and recommendation
If you've done a good job on the rest of the business case, this should be easy. Provide a brief summary of the reasons why the benefits of the project outweigh the costs and risks involved and why you believe your firm should go ahead.