Monday, April 28, 2014

4 Ways to Sell Security Expenses to Business Executives

Image from http://www.pandgsecurity.com.au/
One of the most challenging parts of being a security administrator is asking for more money, especially when it appears as though everything is working fine. The old adage comes to mind, "If it's not broken, don't fix it."

Unfortunately, this philosophy can be disastrous in the security world. New technology acquisition is often much easier for the CIO than for the CISO for one simple reason: business executives like new, shiny toys. They don't however, like to invest in technology that they are unable to see and play with.

For this reason, you must always address new security capability procurements in business terms that executive management understands. In other words, you have to show them the money. The following are 4 ways of getting business minded people to see the benefit of making security expenses that they do not fully understand.

1. Create a "What If" Scenario: This suggestion is often the easiest, especially since the most of the associated research is has already been performed if you are an active and aware security professional. Compile a list of the most recent vulnerabilities and exploits, whether they pertain to your organization or not. Then, take the data from your business continuity and disaster recovery plans (hopefully they are up to date and accurate) to calculate the amount of money lost each day when information and information assets are not available. Many times this kind of scare is enough to continue the conversation.

2. Capitalize on Competition: Business executives are always trying to compare their business with similar organizations because they do not want to be driven out of the market. On that same note, they often enjoy a good story about their competition's shortfalls. Find some similar organizations around the world that have suffered from security incidents, especially those that have lost a considerable amount of money. When you give this presentation and provide a solution, it can easily be seen as a win/win. Not only does it look like you are a better security professional than what the "other guys" have because it did not happen to your organization, but it also gives the executives an opportunity to make a decision that will give them a leg up on other members of the industry. Business people like to think that their company is an industry leader. All you have to do is give them an opportunity.

To put a cherry on top, it might be a good idea to reference the same profit loss data as in the previous suggestion when comparing against the competition.

3. Do Your Research: Nothing turns business people off more than speaking with someone who has no business sense. If you are unable to show a positive return on investment (ROI) for the procurement, they can feel like you have wasted their time. For this, make sure that you don't just research solution capabilities, but also the associated costs. Another tip is to only suggest solutions that fulfill the current need, along with projected organizational growth and near-term future requirements. It is fine to go up a size or two when buying a winter coat for your child, but it might be a waste of money to splurge on an adult large that they will never grow into.

Make sure you do research and find the best return on investment

4. Role Identification: When all else fails and you are sure you are absolutely right, it might be a good idea to remind your executives that ultimately they are the information owners. You are doing your job by identifying the problems and presenting solutions, but it is their responsibility to approve or disapprove the security measures. It is also their responsibility to protect their information. If a security incident occurs that would have been avoided if they chose to approve your suggested investments, it won't be your picture on the front page of the newspaper.

This is a bold step, but it has the possibility getting your recommendation funded AND changing the way they look at the security of their organization's information.

These 4 ways to sell security expenses to business executives could help you make your organization more secure, avoid security incidents, and ultimately keep your job. If you have any suggestions or additional tips for performing this task, please let me know in the comments section down below and I might add them to the list.

Read, Love, Comment, Share!

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.