How to Advocate For More Resources for Information Security
February 8, 2017
In most organizations, there is a deep and wide chasm of understanding between information security professionals and executives. As technical professionals, we must communicate cyber risks more effectively to our executives. You may not be able to see it, but when it comes to project funding there is usually intense competition at the executive level for money and people.
While you are suggesting a project to reduce certain information risks, the marketing team may also be proposing to refresh the organization’s branding to increase revenue. Or, the sales executive may be campaigning for a new customer relationship management system to increase revenue. And, operations may want a new workforce scheduling system to become more efficient and save money.
In all three of these examples, notice the focus is on increasing top line revenue or reducing expenses. Wouldn’t you like to stop playing the “compliance” card? If so, then this is the playing field you need to be on.
For your boss to have the greatest chance of funding your spending proposals, you need to be able to describe the business benefits of allocating people’s valuable hours and spending the organization’s hard earned money.
Describe the benefits model
The way you become competitive is to explain your proposals in terms of the business value you will create. There’s a four-dimension model I use to do this:
Starting in the upper right hand corner, the categories are:
- Expected return;
- Risk Management;
- Indemnity (which is protection against a financial loss), and
- Reliability of Operations
You can see that each value area is made up of several sub-parts. By examining each of your projects against the sub-parts, you can figure out where the most business value will be created and then use that information to promote your proposal.
Real Example: Encrypt PII in our databases
Let’s say you propose to encrypt all Personally Identifiable Information (PII) in your production databases. This is often a big dollar project with lots of impact to business operations.
Intuitively, we know this is a great strategy to prevent data breaches. But how well does that rationale compare against a competing project that aims to increase profits or reduce costs?
Not very well, in my experience!
By closely examining the various business value factors, I would say the top benefit is indemnity. Remember that indemnity is “protection against a financial loss” like an insurance policy. I’m sure you know that executives buy insurance to manage risk all the time, so this is a concept they are familiar with.
Indemnity is the leading factor for two major reasons:
First, by encrypting all that PII, your organization will probably be better aligned with its own information security policy as well as the standard of due care, or what the FTC calls “reasonable” for a company of your size in your industry. So, if there was a data breach of consumer information, the sanctions against your organization will probably be less severe.
Another probable indemnity benefit is a legal exemption from public notifications, which saves a lot of money and guards your reputation. Study after study shows that people don’t like doing business with organizations that suffer data breaches. So, we have data to back up our assertion that we need to guard our reputation as trustworthy record holders. But I’m not giving legal advice here! So, be sure to talk this over with a good cyber risk attorney.
Thus, your project will protect your organization against serious financial and reputation loss. After all, the average data breach in the US costs over $4 million, including direct costs, indirect costs, and abnormal customer churn.
Want to learn more? Take my course, Implementing an Information Security Program! It’s available for free for a limited time.