By Matt Middleton-Leal, EMEA General Manager at Netwrix
As there is no such thing as 100 percent secure and as data breaches continue to hit the headlines, investments in IT security never seem to be quite enough. When it comes to budgeting, the role of a Chief Information Security Officer (CISO) is to prioritise available resources based on the IT risks the organisation faces and justify additional investments when and where needed to executives. Of course, this is easier said than done. Many CISOs struggle to articulate the value of their current and future security projects when attempting to make the case for more resources. This article will set out a three-step guide to justifying an investment in IT security.
Step One: Assess your IT risks
Before requesting additional investments, CISOs should first assess whether current resources are allocated correctly in order to address the actual risks that firms are exposed to; whether those risks are prioritised well and what the level of remaining risk exposure is.
For this reason, organisations should conduct regular IT risk assessments. The process may seem very complex but keeping it simple is key at first. In fact, organisations shout identify threat/vulnerability pairs and determine the level of the risk they pose. This will be based on the likelihood that the threat will exploit the vulnerability; the impact of the threat successfully exploiting the vulnerability; and the adequacy of the existing or planned information system security controls for eliminating or reducing the risk.
Risk assessments enable CISOs to determine which risks are sufficiently addressed by current IT controls and what security gaps remain that require additional efforts and investment management. With that information, CISOs are therefore better able to prioritise risks and allocate resources wisely.
To this classic IT risk assessment process, adding a regular review of risk profile versus industry peers is also advisable. Peer comparisons will give organisations a heads-up on the threats peers encounter and how they address them. For instance, if a competitor recently experienced a data breach, companies should investigate whether they have the same weakness and what they must do to mitigate it. In addition, they should scrutinise research from analysts summarising security execution in different industries, in order to keep up to date when it comes to best practices.
By accurately assessing risks for organisations and the industry in general, companies will be able to prepare a roadmap for eliminating the critical security gaps in their environment and build a coherent argument for additional budget.
Step Two: Communicate security issues to the decision-makers
The next step would be to talk to executives. CISOs re well-advised to start with their security status, briefly describing the IT risks roadmap and explaining exactly what they are doing to address current risks, demonstrating that they are effectively using existing technologies and human resources. During the communication with the board, CISOs should avoid technical acronyms or using terms such as “the infrastructure”; they should instead reference business processes and real-life scenarios, ideally examples of incidents in the national press.
To demonstrate the effectiveness of security controls, CISOs can use a variety of metrics, for instance: MTTD (mean time to detect), MTTR (mean time to repair), the number of incidents and vulnerabilities discovered versus the number remediated, money saved due to remediation, mean time between security incidents, percent of changes with security review and so on.
At this point it is important to highlight the most acute security gaps that leave a company vulnerable to current threats and request money to address them. The key to success is to clearly explain and, whenever possible, quantify the business impact of the security incidents that could result if those security risks are left unaddressed.
Step Three: Offer a solution and highlight benefits
This stage involves providing a clear, actionable plan for how the CISO will use the budget requested to reduce the IT risks identified to a level acceptable to the business. This plan must include resources – people, technologies, etc. – deadlines and a detailed budget that sets out how much money will be spent on what.
To support the argument, it is important to estimate the expected return on security investment (ROSI) for planned investments in order to prove their effectiveness in balancing risk and cost. CISOs can base this calculation on direct prevention of financial losses, as discussed earlier. The best way is to use the SANS Institute’s quantitative risk analysis formula. This estimates ROSI by quantifying how well the solution mitigates the risks it is intended to address and how much money can be saved due to the reduced risk exposure. Even if the estimate isn’t completely accurate, using the same scoring algorithm over time is a good way to compare the return on security projects.
Apart from underlining the losses the company might avoid, it is great to translate the value that security projects can bring to the business. In other words, presenting budget requests to the board as opportunities for assisting in meeting their business objectives, such as reducing costs, increasing revenue or increasing the company’s value on the market.
Arguing for investments in security projects is always a challenge. Executives will not be swayed by vague promises or crystal ball predictions; it is essential to provide hard data that illuminates how a fortified security posture can help the business prosper. Plus, it is crucial to understand the market and the organisation’s objectives well, because it will help to identify the most business-critical risks and better articulate benefits that boards care about.
