Last month, I attended a CIO and CISO forum in Rhode Island. The talk by Michael and Tricia of Secure Catalyst was excellent. They stressed the need for straight talk between technology and business leaders, particularly in the area of information security.
Straight talk does not mean unkind or unwelcoming language. Michael and Tricia suggest that technology and security leaders focus on questions such as “what problem are we trying to solve?”, “what resources do we need to solve the problem?”, “how do we measure success or value delivered?”, and “are we ready to start?”
Entering the typical work week or two week activity sprint, these questions form the basis for clear expectations, measurable activities, and a focus on achieving a defined outcome. From the back of the room, one of the executives scoffed at this notion as it relates to security. “You cannot prove a negative and therefore, the value of security remains elusive and impossible to define.”
Michael and Tricia gently pushed back, but this got me thinking. The number one career challenge that security professionals face is a view like the one posed during the forum. You cannot prove a negative and security programs cannot be quantified.
This is wrong. You can prove a negative with the absence of evidence. Did a neighborhood watch program work? Did your IT leadership get fired because of a breach? Not getting your leadership fired is a good indicator that you are demonstrating value. Do you leave the doors unlocked and your systems unprotected because you have not been robbed or breached? Did your company suffer financial losses and regulatory penalties?
At this point, there are extensive statistical data sets that can help you support a strong business case for security. The Verizon Data Breach Incident Report, for example, provides access to the raw data supporting their analysis. Cost per incident, by industry, by attack vector, is readily available. Time to discovery, recover, and customer loss data is at your fingertips.
Use data appropriate to your industry, size, and stage, e.g., manufacturer with 10 employees in a mature state, operating for 30 years. Build a business case that considers the following:
Revenue or income loss:
Calculate annual sales. Indicate the +/- variance that you are applying, you are not trying to be precisely correct, you are being directionally correct.
Let’s assume that the 10 person manufacturing shop generates $1M in revenue annually. 20% variance would give you a range of $800K – $1.2M in revenue at risk.
Factor in the number of customers that you might lose in case of a breach or data loss. It helps to understand if a large customer represents the lion’s share of your company’s revenue.
For example, if the manufacturer has a DoD contract that represents 80% of your income, suffering a breach could put that contract in jeopardy.
Take a middle of the road approach when presenting the ranges. Security professionals are often accused of being alarmist or gumming up the works. Generating fear and uncertainty will hurt your chances of getting buy in and support.
From the example above, assume that the DoD contract has a 50/50 chance of being lost or retained with some form of oversight. A logical assumption is that 40% of the manufacturer’s revenues could be at risk with potential losses of 80% if the worst case scenario is realized.
Revenue Increases or Customer Acquisition:
Most business and security leaders see security programs as a cost center. Flip the script. Security can be a significant competitive advantage. An organization that can point to security self-checks, improvement programs, and a series of external audits can differentiate their services and products from organizations that leave these questions unanswered.
Review your competitors and the state of regulations in your industry. A recent study of US federal agencies indicated that only the DHS, responsible for the security of other agencies, received a 2 on the NIST resilience scale. 1 is the lowest score possible.
If the 10 person manufacturer attained a proactive state of security (4 on the NIST scale), how many clients could the sales team win from competitors? Would $1M grow to $1.5M because a competitor experienced a data loss? Could you win more work from Walmart because of the failure of a competitor?
Review the voice of your customers. A number of anchor organizations are making supply chain security a top priority. This is more than simply ensuring that ingredients or parts can be obtained in the face of global economic uncertainty. Vendor assessments are increasingly assessing digital security, using frameworks like NIST, to review supply chain security and performance.
Quarterly filings, press releases, and annual statements often list the top priorities and strategic risks for an organization. Check your customer filings to see if they are mentioning supply chain or operational security.
Reduce your administrative overhead and time to market. Winning client work can be time consuming, particularly when a potential customer has a vendor management or supply chain security function. These organizations watch their walls closely to ensure that you are not the entry point for an attacker. Sometimes, these walls ward off businesses from making the attempt.
How often are your vendors or customers asking for security audits? Does your sales team have to respond to different security requests or documentation reviews in order to win work? If you had a proactive program, cutting audit response time to a few hours and the required effort to a person or two, what would that save in sales team time and hours? How powerful would it be to be able to demonstrate to Walmart a DoD certified state of 4 on the NIST scale?
Cost to Achieve:
Security professionals often forget the people cost of change. Training, behavioral adjustments, and time are all critical parts of maintaining a proactive security stance. Frequently, security and technology leaders focus on short term asks and technical platform costs. This is short sighted and leads to frustrated business counterparts when results do not meet expectations as spend grows.
Consider the full cost of ownership. This includes people, training, time away from core responsibilities, and reinforcement. Most business cases include the cost to deliver the initiative or project.
Once you flip on the lights, how will you maintain the solution over time? Will you need ongoing professional trainers or outside help to keep you advised of new trends? Do you need an annual for conferences or training? Calculate the cost to change and sustain the change, in addition to any software or hardware.
Consider the $5 solution. Be creative using the brains and talent that you already have in house, augmented by case studies or experienced. Wired, Fast Company, and Inc. are all excellent sources of information, as well as CIO.com and CISO.com. Local user groups and communities are often good opportunities to learn from people who have been in similar situations. Many times, these events are free to attend or charge a nominal fee for non-members, e.g., VentureCafe, Project Management Institute, ISACA, SIM.
Could you accomplish your goals and solve your problems with existing solutions? If your small manufacturing shop uses Google’s G Suite, could you use the Google Mobile Device Management solution rather than selecting and implementing a separate toolset? Could you augment your existing support agreements or provider contracts to include quarterly penetration tests or audits? Would a potential partner be willing to enter a contract based on hitting performance targets, e.g., a bonus for every 30 days without incident?
Stake Your Bet Wisely:
Business and technology professionals are often quick to latch onto trends, software, or hardware as a miracle drug. How many times have you been told that the answer to your problems is X, Y, or Z software package? A cursory review of the current Gartner Hype Cycle (Google it) or Forrester Wave will help you discern hype from reality. Vendor roadmaps are vaporware. Promised features notoriously get delayed or postponed.
Has the technology or framework been proven? What was the experience of a similarly sized organization? Would you bet the security of your business on an unproven technology or capability? Is this solution a part of a larger security portfolio or does it require going all in? E.g., swapping out one email and productivity suite for another email productivity suite may require additional licenses for security features.
One of the biggest, if not THE biggest, challenge that you will face in your information security (and technology) career is overcoming this mindset that security cannot be measured. Rather than accepting bold statements and proclamations, do some research and anticipate these criticisms. The absence of evidence, coupled with existing data from other industry analysis, makes preparing a business case to support security relatively straightforward.
Next up, we will discuss how to get your business case approved.
Guest Author: Matt Leathers, Senior Consultant, at Kettle Consulting Group, with over fifteen years of consulting and industry experience, working for some of the leading consulting firms in the world.