Information systems security it is very vital in today’s businesses, to curb the numerous cyber threats against information assets. Despite the good arguments put forward by information security managers, the Board of Directors and Senior Management in Organizations could still take a long time to approve information security budgets, aiming at other items, such as marketing and promotion, which believe they have a higher Return on Investment (ROI). So how do you, as a CISO/IT manager/information systems manager, convince management or the board of the need to invest in information security?

I once had a conversation with an IT Manager from one of the large regional financial institutions, who shared his experience of approving an information security budget. The IT department was fighting with Marketing over some funds that had been made available from savings in the annual budget. “You see, if we invest in this marketing campaign, not only will the target market segment help us make and beat the numbers, but also estimates show that we could more than double our loan portfolio.” the marketing people argued. On the other hand, TI’s argument was that “By being proactive in acquiring a more robust Intrusion Prevention System (IPS), security incidents will be reduced.” Management decided to allocate the additional funds to Marketing. The IT people then wondered, what had they done wrong, that the marketing people got right? So how do you ensure you get budget approval for your information security project?

It is vital that management appreciates the consequences of inaction when it comes to company security, if a breach occurs, the organization will not only suffer from loss of reputation and customers, due to reduced trust in the brand , but also an infringement. it could lead to lost revenue and even legal action against the organization, situations where good marketing campaigns might not redeem your organization.

We try to address the main points that management might raise against investing in information security.

1. Information security solutions tend to be expensive, where are the tangible benefits?

The overall goal of any organization is to create/add value for shareholders or stakeholders. Can you quantify the benefits of the countermeasure you want to purchase? What indicators are you using to justify that investment in information security? Does your argument for a countermeasure align with the overall goals of the organization? How do you justify that your action will help the organization achieve its goals and increase shareholder/stakeholder value? For example, if the organization has prioritized customer acquisition and retention, how does the acquisition of your proposed information security solution help achieve that goal?

2. Is the countermeasure not an isolated or panic reaction to a recent regulatory requirement or audit inquiry?

The vast majority of information security projects could be driven by external regulations or compliance requirements, or could be a reaction to a recent query from external auditors or even the result of a recent systems breach. For example, a financial regulator might require all financial institutions to implement an IT vulnerability assessment tool. Therefore, the organization is obliged to comply at all costs or face sanctions. While it is necessary to meet these regulatory requirements, it is sufficient to plug the holes and “fight fires” approach are not sustainable. Implementing process change in isolation could lead to a siled work environment, conflicting information and terminology, disparate technology, and a lack of connection to business strategy. [1]
Uncoordinated reactions to specific regulatory requirements can lead to the implementation of solutions that are not aligned with the organization’s business strategy. Therefore, to overcome this issue and gain funding approval and management support, your argument and business case must show how the solutions you intend to acquire fit into the bigger picture and how this aligns with the overall goal. to insure assets in the organization.

What are the costs, implications and impact of doing nothing?

You will need to communicate to management the basic business value of the solution you wish to purchase. It will start by showing/calculating the actual cost, implications and impact of doing nothing; if the countermeasure you want to purchase is not in place. You could classify them as:

Direct cost – the cost incurred by the organization for not having the solution implemented.
indirect cost – the amount of time, effort and other organizational resources that could be wasted.
Opportunity cost – the cost resulting from lost business opportunities if your proposed security solution or service were not implemented and how it could affect the organization’s reputation and goodwill.

You can use the following tips and expose them further:

• What regulatory fines for non-compliance does the organization face?
• What is the impact of business interruption and productivity losses?
• How will the organization, its brand or reputation be affected that could result in huge financial losses?
• What losses are incurred due to poor business risk management?
• What losses do we face attributed to fraud: external or internal?
• What are the costs spent on the people involved in risk mitigation that would otherwise be reduced by implementing the countermeasure?
• How will data loss, which is a huge business asset, affect our operations and what is the real cost of recovering from such a disaster?
• What is the legal implication of any breach as a result of our inaction?

How does the proposed solution reduce costs and increase business value?

You will then need to show how your proposed countermeasure will reduce costs and increase business value. Again, you could expound more on the following areas:

• Show how the increased efficiency and productivity of implementing the countermeasure will benefit the organization.
• Quantify how reducing downtime will increase business productivity.
• Show how being proactive could reduce IT audit and assessment costs.
• Quantify the cost reduction that would otherwise be associated with internal audits, third-party audits, and technology.

According to a 2011 investigation by the Ponymon Institute Y tripwire, inc., business interruption and productivity losses were found to be the most costly consequences of noncompliance. On average, the cost of noncompliance is 2.65 times the cost of compliance for the 46 organizations that were sampled. With the exception of two cases, the cost of noncompliance exceeded the cost of compliance.[2]. Which means that investing in information security to protect information assets and meet regulatory requirements is actually cheaper and lowers costs, compared to not implementing any countermeasures.

Obtain support from the different business units of the organization

A good budget proposal must have the support of the other business units of the organization. For example, I suggested to the IT manager mentioned above, that he probably should have discussed with Marketing and explained how a reliable and secure network would make it easier for them to market with confidence, IT probably wouldn’t have had competition for the budget. I don’t think marketing people would like to face customers, when there are potential questions about unreliable service, system failures and downtime. Therefore, you must ensure that you have the support of all the other business units and explain to them how the proposed solution could make their lives easier.

Build a relationship with Management/Board of Directors, including for future budget approvals, you will need to publish and deliver reports to management on the number of network anomalies that the intrusion detection system you recently purchased, for example, found in a week, the current patch cycle time and how long the system has been running without interruption. Reduced downtime will mean you’ve done your job. This approach will show management that there is, for example, indirect insurance cost reduction based on the value of policies needed to protect business continuity and information assets.

Getting budget approval for your information security project shouldn’t be too much of a challenge if you’re trying to address the core issue of adding value. The main question to ask yourself is how the proposed solution improves the final result. What the Management / Board of Directors requires is a guarantee that the solution they propose will produce real long-term business value and that it is aligned with the general objectives of the organization.

References:

1. Thomson Reuters Accelus, BUILDING A BUSINESS CASE FOR GOVERNANCE, RISK AND COMPLIANCE, 2010.

2.Ponemon Institute, The true cost of compliance, 2011.