Regulation
As regulations stack up, the requirements seem to increase exponentially. The security organization is tasked with not only managing the IT compliance requirements to multiple regulations, but doing it so efficiently that a single audit or assessment can be used multiple times. CISOs should focus on the following areas when articulating the value of regulation: complying with multiple regulations simultaneously by developing a common security and audit framework - not just meeting the letter of the law but also incorporating the corporate perspective - and avoiding fines and penalties for non- compliance. As a good example, a retail outlet was able to avoid potential fines of $50,000 a day by putting in place an application firewall that carried a little over a $100,000 price tag.
Revenue
Although information security does not always contribute directly to the revenue of a company, it's often instrumental in protecting the corporate intellectual property. But savvy CISOs go one step further and bolster their value articulation by pointing out that security helps with protecting IP from being stolen or disclosed and finding new business by marketing better security. In some industries such as financial services information security is part of the corporate marketing. Bank of America, for example, has successfully marketed itself as a bank that values its clients' privacy and security. As a result Bank of America has come up with innovate way to increase revenue through consumer security, such as offering two-factor authentication tokens for a small fee. For companies in such industries security is an absolute necessity just for both their internal users and their customers.
Resilience
Resilience is a top concern for many organizations due to pandemic scares disasters such as hurricane Katrina or the tsunamis in the Far East. Many companies realized during these unfortunate disasters that they had no plans and processes in place to deal with them effectively. Security can help by ensuring continuity of critical business processes during these times and coordinating and responding to threats and incidents efficiently.
A service provider in the Gulf region lost all its business when both its data centers--30 miles away from each other--were destroyed in hurricane Katrina. The company did not recover from this loss and had to file for bankruptcy. On the other hand, a financial service company was not only able to switch over to its back-up facility in the northeast without any major hitch, but they were also able to account for 99% of their staff within three hours of the hurricane hitting the coast. The business continuity efforts were spearheaded by the security team and coordinated with the disaster recovery team from IT. Although the company did suffer a loss, it was able to recover completely in less than 48 hours.