IT managers should focus on explaining business risk, customer impact, regulatory requirements and due diligence when justifying the need for IT security investments to corporate executives.
IT and business managers at The Security Standard conference last week also suggested that security personnel not use technology jargon or overstate the threats to their companies when proposing new projects to top executives.
"What we need from a CSO are facts, objectivity and some real clear recommendations" to demonstrate achievable returns on security investments, said Lawrence Kinsella, chief financial officer at London-based BT Global Financial Services' New York operation. "What we are not looking for is 'the-sky-is-falling' FUD" -- fear, uncertainty and doubt.
During a panel discussion at the conference, Kinsella added that security managers sometimes offer executives little reliable data to show that the projects they are pushing will truly mitigate future risks. And although traditional ROI estimates may not be required, security managers should clearly articulate business and customer risks, he said.
"If it is not well planned, if you are not thinking a few moves down the chess board, I don't want to hear it," Kinsella said.
The issue is gaining prominence as companies start replacing reactionary security models with more preemptive ones, said Scott Blake, chief information security officer at Boston-based Liberty Mutual Insurance Group.
Blake said that security officers must use language that is clearly understood by business executives when they explain the need for changes. And, he said, IT security officers must work to understand the requirements of the business side.
Tell it like it is
The key is for IT managers to "keep it real and get something that resonates with the executive body," said John Schramm, senior vice president of enterprise information security in the Cincinnati offices of Boston-based Fidelity Investments.
Schramm suggested that IT managers use external examples, such as a security breach or the emergence of a broad industry trend, to gain the attention of the executives who hold the corporate purse strings. "Use examples, use events in the media; pick the top [security] issue in the paper, which these senior executives read, and show them how it is being addressed," Schramm said.
On the other hand, Blake noted that stories about external events, although powerful, can be anecdotal. "Going to the board and CEO and saying, 'We are spending x percent, but we should spend y percent,' is very challenging" if the discussion is based only on what other organizations are doing, he said.
Showing business executives how a security investment can protect a company from legal and governance liabilities is also important, said Tom Bowers, manager of information security operations at a large drug company that he asked not be named.
As an outsourcer of IT operations, the company's ability to seek legal protection under intellectual property laws would be considerably weakened if it didn't implement what are seen as reasonable controls, such as encryption, content monitoring and digital rights management, Bowers said. Highlighting such issues can help reinforce the business value of security investments, he added.
Douglas Callen, chief security officer at the Transportation Security Administration, a part of the U.S. Department of Homeland Security, noted that the need to convince business executives to take specific security measures is less of a concern for government agencies like his, where security is a fundamental requirement.
"I don't have to fight those same kind of internal battles," as many in the private sector must, he said. "I've just got to make a case because there is a vulnerability" or because of a government mandate, Callen said.
Edward Amoroso, CSO at AT&T, suggested that "the most effective way to get more funding for security is to flunk an audit test." However, he also noted that such a move is risky because audit failures can suggest incompetence on the part of the security organization.
"That can be destructive to one's career," Amoroso said. But having an auditor come in to identify security gaps can be a useful way of attracting the attention of top executives to issues that need to be addressed immediately, he added. "On the one hand, [a failed audit] can suggest you don't know what you are doing," Amoroso said. "On the other hand, it can be a great force for change."