Information systems security is very vital in enterprises today, in order to curb the numerous cyber threats against information assets. Despite the good arguments that are put up by Information security managers, the Board and Senior Management in Organizations, might still drag their feet, to approve information security budgets, visa vi other items, like marketing and promotion, which they believe have greater Return on Investment (ROI). How do you then, as a Chief Information Security O fficer (CISO) / IT / Information Systems manager, convince Management or the Board of the need to invest in Information security?
I once had a conversation with an IT Manager for one of the big regional financial institutions, who shared his experience on getting an information security budget approved. The IT department was tussling it out with Marketing for some funds that had been made available from savings on the annual budget. "You see, if we invest in this marketing campaign, not only shall the targeted market segment help us make and surpass the numbers, but also estimates show that we could more than double our loan portfolio." argued the marketing people. On the other hand, IT's argument was that "By being proactive in procuring a more robust Intrusion prevention System (IPS), they will be reduction in security incidents". Management decided to allocate the extra funds to Marketing. The IT people wondered then, what they had done wrong, that the marketing people got right! So how do you ensure that you get that budget approval for your Information security project?
It's vital for management to appreciate the consequences of inaction as far as securing the Enterprise is concerned, if a breach occurred not only will the organization su ffer from loss of reputation and customers, due to reduced confi dence in the brand, but also a breach could lead to loss of revenue and even legal action being taken against the organization, situations in which good marketing campaigns might fail to redeem your organization.
We try to address the major points management could raise against investing in information security.
1. Information security solutions tend to be costly, where are the tangible returns?
The overall goal of any organization is to create / add value for the shareholders or stakeholders. Can you quantify the bene fits of the countermeasure you want to procure? What indicators are you employing to justify that investment in information security? Does your argument for a countermeasure align with the overall objectives of the Organization, how do you justify that your action will help the organization achieve its goals and increase shareholders / stake holder's value. For example, if the organization has prioritized customer acquisition and customer retention, how does procurement of the information security solution you propose, help achieve that goal?
2. Isn't the countermeasure a panic / isolated reaction to a regulatory requirement or recent audit query?
The vast majority of Information security projects could be driven by external regulations or compliance requirements, or could be as a reaction to a recent query by the external auditors or even as a result of a recent systems breach. For example, a financial regulator could require that all financial institutions implement an IT Vulnerability assessment tool. Thus, the organization is required to comply at any cost or face penalties. While response to these regulatory requirements is necessary, just plugging the holes and "fighting the fires" approach are not sustainable. The implementation of process change in isolation could result into an environment of working in silos, conflicting information and terminology, disparate technology, and a lack of connection to business strategy. 
Uncoordinated reactions to specific regulatory requirements, may lead to implementing solutions that are not aligned with the business strategy of the organization. Therefore to overcome this problem and get funding approval and management support, your argument and business case should show how the solutions you intend to procure fit into the bigger picture, and how this aligns with the overall objective of securing assets in the organization.
What are the costs, implications, and the impact of doing nothing?
You will need to communicate to management, the basic business value of the solution you want to procure. You will start by showing / calculating the current cost, implications, and the impact of doing nothing; if the countermeasure you want to procure is not in place. You could classify these as:
Direct cost – the cost that the organization incurs for not having the solution in place.
Indirect cost – the amount of time, effort and other organizational resources that could be wasted.
Opportunity cost – the cost resulting from lost business opportunities, if the security solution or service you propose was not in place and how that could impact the organization's reputation and goodwill.
You could use the following pointers and expound on these further:
• What regulatory fines due to non-compliance, does the organization face?
• What is the impact of business interruption and productivity losses?
• How will the organization be impacted, her brand or reputation that could result in huge financial losses?
• What losses are incurred due to poor management of business risk?
• What losses do we face attributed to fraud: external or internal?
• What are the costs spent on people involved in mitigating risks that would otherwise be reduced by deploying the countermeasure?
• How will loss of Data, which is a great business asset, impact our operations and what is the actual cost of recovering from such a disaster ?.
• What is the legal implication of any breach as a result of our non-action?
How does the proposed solution reduce cost and increase business value.
You will then need to show how the countermeasure you propose is going to reduce cost and increase business value. Again you could expound more on the following areas:
• Show how increased efficiencies and productivity, of deploying the countermeasure will benefit the organization.
• Quantify how reduced downtime will increase business productivity.
• Show how being proactive could reduce on IT Audit & Assessment costs.
• Quantify the cost reduction that would otherwise be associated with internal audits, third-party audits, and technology.
According to a 2011 research conducted by the Ponemon Institute and Tripwire, Inc. , it was found that Business disruption and productivity losses are the most expensive consequences of non-compliance. On average, non-compliance cost is 2.65 times the cost of compliance for the 46 organizations that were sampled. With the exception of two cases, non-compliance cost exceeded compliance cost. . Meaning that, investing is information security in order to protect information assets and comply with regulatory requirements, is actually cheaper and reduces costs, as compared to not putting any countermeasures in place.
Get support from the various business units in the organization
A good budget proposal should have support of the other business units in the organization. For example, I did suggest to the IT manager mentioned before, that probably he should have discussed with Marketing and explained to them on how a reliable and secure network, would make it easier for them to market with confidence, probably IT would have had no competition for the budget. I don't believe the marketing people would like to go face customers, when there are possible questions of unreliable service, system breaches and downtime. Therefore you should ensure that you have support of all the other business units, and explain to them how the proposed solution could make life easier for them.
Create a rapport with Management / Board, for even future budget approvals, you will need to publish and give reports to management on the number of network anomalies the intrusion-detection system you recently procured for example, found in a week, the current patch cycle time and how much time the system has been up with no interruptions. Reduced downtime will mean you have done your job. This approach will show management that there is for example an indirect reduction of insurance cost based on value of policies needed to protect business continuity and information assets.
Getting your information security project budget approval, should not be so much of a challenge, if one was to cater for the main issue of value addition. The main question you need to ask yourself is how does your proposed solution improve the bottom line? What the Management / Board require is an assurance that the solution you propose will produce real long term business value and that is aligned with the overall objectives of the organization.
1. Thomson Reuters Accelus, BUILDING A BUSINESS CASE FOR GOVERNANCE, RISK AND COMPLIANCE, 2010.
2. Ponemon Institute, The true cost of compliance, 2011.