Despite higher levels of awareness among executives about cybersecurity risk, security and risk management leaders struggle to make a clear and defensible business case for investing in a security program.
While the benefits of information security – increased confidentiality, integrity and availability — are clear to IT and security specialists, the “language” in which these benefits are articulated is usually unintelligible to executives.
Indeed, obtaining and maintaining executive support for information security strategies are challenging propositions. The fact that justification messages are usually constructed around negative themes, such as scare statistics, inflated risk exposures and impending disasters, does little to further the cause.
It’s important to articulate the value of your security activities in business terms. Bitter lessons learned during the global economic slowdown 10 years ago means that security teams must continue to improve the way in which they justify their activities and plans — initiatives that can’t demonstrate clear business value will not be funded.
If the enterprise is secure "enough", maintaining the investment is appropriate. However, IT doesn't stand still, and neither do security threats. Each new wave of technology and business initiatives brings new risks. New threats are constantly emerging. New opportunities are made possible, or at least more feasible, through new security initiatives that are also emerging.
The bottom line is that you need to speak to business partner in terms they understand to demonstrate not necessarily a return on investment (ROI), which is elusive for security in general, but the broad value that security offers the enterprise.
Information security business value model
Start by developing a model for articulating information security benefits that outlines expected business value in a consistent format. The value of investing in strategic information security activities can then be captured, summarised and communicated in a concise format
Focus on the following value categories:
- Integrity – to emphasise the impact of the reliability and availability of daily business operations.
- Investment – to capture the expected returns, such as financial, brand enhancement, competitive differentiation, future agility and organisational adaptability.
- Insurance and assurance – to address the risk management benefits.
- Indemnity – to highlight the compliance benefits of limiting regulatory and stakeholder exposure.
These value components subtly express the positive outcomes of investing in security in a manner that relates to business challenges.
Identify drivers and extrapolate actions
Of course, the valid, but rather generic, benefits of this model don’t mean much unless they’re directly related to the unique situation within your enterprise.
A good starting point is to capture existing business drivers that manifest themselves in your organisation, whether it be protecting the corporate brand and its associated values, supporting the market share strategy, changes in business or regulatory environments, information security trends or other drivers.
The final step is to map all the recommended projects and investment areas to the value categories and associated drivers. This results in a model that explains:
- What recommended projects and initiatives need to be done;
- Why it’s important to take these actions (the drivers); and
- What the expected business value is.
Communicate actions, drivers and value
Simply having a model doesn’t provide a “silver bullet” for successful executive communication. The business value must be communicated in a format that will be accepted and assimilated by the intended audience, whether a presentation, a strategy document, an executive memorandum or any other appropriate mechanism.
Communicate the proposed actions, relevant business drivers and expected business value of the information security program. Include a summary of estimated costs and resource requirements, as well as a high-level indication of the expected duration of the combined activities. Make sure you temper the message based on the audience’s characteristics and by corporate cultural realities.
There are a few major obstacles to effective communication, particularly a lack of ownership among business executives of their respective accountabilities for managing the risks of their information resources, as well as the lack of formal corporate trustability goals.
A clothing retailer, for example, might want to be a trusted e-commerce provider, but it hasn’t adequately dealt with its own corporate trustability goals to improve the trust in the organisation among customers, partners, employees and other stakeholders. This dilutes any attempts to communicate business value.
In some cases, the best starting point is to ask upper management to explicitly define its risk management and trustability goals.
Provide feedback on benefits
When a security team does a good job, most people in the business aren’t aware of its existence – no security incidents means no “publicity” for the security team. The only visible component will be the information security budget. This can plant a question in executives’ minds: “If we don’t have any security problems, then why are we paying so much for security?”
It’s important to provide feedback to executives on the actual benefits that are realised, as well as those that aren’t. A key component of maintaining credibility is to provide continuous, honest feedback of security activities and achievements. Specifically, compare actual results with expected benefits. This reinforces the trust relationship between the security team and the business.
About the author
Tom Scholtz is a distinguished VP analyst at Gartner. He is an acknowledged authority on information security governance, security strategy, security organisational dynamics and security management processes.