Selling Security to the CFO

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/managementtopics/roi/story/0,10801,85892,00.html

Story by Doug Lewis
OCTOBER 13, 2003 
COMPUTERWORLD

"Shut it down, now!" The guy issuing this command was my chief 
information security officer (CISO). The "it" he ordered shut down was 
our entire Internet infrastructure. That infrastructure was generating 
more than $2 million of high-profit revenue every day. After a 
sleepless night he had finally figured out why we were suffering a 
prolonged denial-of-service attack. Our firewalls should have been 
flawlessly deflecting this attack, but they weren't. The "bad guys" 
were on us like flies on a dead dog. 

His sudden realization was that the firewalls had been reloaded 
without any of the most critical defensive rules. 

The cause of this attack turned out to be human error, but the event 
triggered a complete review of our Internet security, followed by a 
decision to beef up our defenses and outsource much of our security 
administration and monitoring. 

Back in the good old days, security consisted of a few firewalls and 
some virus protection. The threats have outgrown those simple 
defenses, and the cost has outgrown the approval level of the CISO 
and, sometimes, that of the CIO. Fortune 500 companies are finding 
themselves with security expenditures that require CEO and even 
board-level approvals. Each one of these companies comes with a 
beady-eyed chief financial officer demanding a rock-solid business 
case with a credible return on investment. 

So you've got three problems. You've got to determine the appropriate 
level of security for your company. You've got to build a business 
case that nontechnical senior executives will understand and support. 
You've got to show that there's a financial return coming out of the 
investment. And all this is for a system where, if it's performing 
perfectly, nothing happens, right? 

Take a deep breath. It can be done, and with credibility that even the 
toughest CFO will buy into. 

Step 1: Determine the current and appropriate levels of security. Get 
a security assessment done by a company with a solid reputation. Be 
sure to include vulnerability assessments and penetration tests 
against your key systems. (Key systems are those that move money, 
customer data, employee data or products.) Don't do this yourself. You 
probably don't have the expertise, but even if you did, you wouldn't 
have the credibility you need to sell the business case. 

Done right, you'll emerge from the assessment with a very good idea of 
the state of your IT security vs. where you should be and what you'll 
need to do to get there. Don't be defensive. Share the results with 
your CEO and business-unit chiefs. They'll become your allies in the 
fight to get the business case approved. Make it easy for them to 
understand the problem and the cure. 

The assessment will tell you where your defenses are weak and drill 
deeply into each area of exposure. You should know for each 
application what the potential security breach would be, the total 
economic impact of such a breach and the likelihood of the breach 
happening. The best source for this type of data is the annual report 
jointly released by the Computer Security Institute and the FBI. It 
has credibility that your CFO will respect. 

The last part of the assessment is to project your security costs over 
the next five years based on the use of your current technology and 
processes. 

Step 2: Build a security plan to fix the holes identified by the 
assessment. Cover all the bases. Perimeter firewalls, virus 
protection, intrusion detection, internal network segmentation, 
applications, deployment, hiring, outsourcing, training, monitoring 
and operations all need to be included. Make it a five-year total cost 
of ownership (TCO) model. Whatever you do, don't underestimate the 
difficulty and cost of putting these pieces in place. There are 
countless stories of good people getting fired because they had 
intrusion-detection devices sitting in the warehouse six months after 
paying for them. They simply didn't have the staff to install the 
devices. 

The TCO is going to be much bigger than you expect. Security is 
expensive. However, if you don't include all the elements and don't 
make the five-year TCO calculations, the CFO will just make you do it 
over, and you'll lose points. If you sneak a low-ball number through 
the approval process, you'd better start polishing your resume. 

Step 3: Build an ROI-based business case for security investments. It 
can be done, and here's how: The secret is to explain to senior 
executives what you're trying to do in terms they can understand. They 
survive by making smart resource (money) allocation decisions. Give 
them an understandable set of facts, and they'll spit out the right 
answer. 

Start at 50,000 feet. Mental pictures and diagrams work well with 
senior execs. I use a security S-curve diagram and a castle-and-moat 
analogy. 

Explain that you're building a moat around a castle. Until you get the 
moat completely around the castle, you've spent a lot of money with no 
improvement in security. That analogy represents the far left side of 
the S-curve. Until you've established a minimum level of protection, 
you're spending a lot of money but are still totally vulnerable. 

Once you've got the moat encircling the castle, you can decide how 
wide and how deep it needs to be. This is the middle of the diagram, 
which I call the Prudent Zone. It varies by vertical industry. Talcum 
powder manufacturers need less security than credit card processors. 
Building the moat a mile wide and only yards deep is a waste of good 
money. This represents the far right side of the S-curve. You're 
spending a lot of money and not significantly improving your security. 
CFOs fire CIOs who waste money these days; that looks really bad on 
the resume. 

Next, drop down to 20,000 feet. Say what you want to do with the money 
and why. I use a risk/solution matrix. It takes data from the 
assessment and lists the risk areas, the economic impact of a security 
breach in each risk area, the likelihood of a breach happening and the 
resulting cost to the business of each breach. I match up the elements 
of my security plan against the risks and check every box where the 
plan addresses a risk. 

I like to list all the actions required to complete the moat first. 
Then I list the actions that would bring the company to its Prudent 
Zone. Next, I list the things that would take the company a bit past 
the Prudent Zone—but not too far past. 

Now that you've anchored each proposed action and its cost to a 
financial risk model, you need to tie an ROI to each action. You have 
four fundamental ROI opportunities for each action: reduce current 
costs, reduce future costs, reduce the financial risk to the business 
or increase revenue. CFOs get giddy over this stuff! 

Investment in information security can provide an ROI by reducing your 
annual loss expectancy (ALE) from a security breach. ALE is a 
calculation of the actual cost of a security breach multiplied by the 
probability that such a breach might occur in the coming year. It's 
much like the actuarial calculations insurance companies use to 
compute your premiums. 

For example, let's assume you have a Web site that does $2 million of 
business per day. The security assessment shows the site is vulnerable 
to a denial-of-service attack, which would result in a three-day 
outage, and there's a 60% likelihood of a successful attack occurring. 
The ALE is $2 million per day X three days X 60% = $3.6 million. 

The security improvement costs $500,000 and will reduce the likelihood 
to 15% and the outage to one day. The improved ALE is $2 million per 
day X one day X 15% = $300,000. This yields a first-year return of 
$3.3 million ($3.6 million minus $300,000) from a $500,000 investment. 

Now you've got all the raw ingredients for a successful business case. 
The next step is to let your IT finance person produce your company's 
standard ROI financial tables and then wrap the assessment summary, 
the security plan with its five-year TCO, the risk/solution matrix and 
the ROI calculations into the standard company format. Remember, you 
want the business case for security to look exactly like the business 
case for any other company investment. 

Build a short PowerPoint presentation describing the highlights of 
your story. Stay high-level. If you get into the speeds and feeds, 
your audience's eyes will glaze over, and you'll lose credibility as a 
business person. Shop the PowerPoint pitch to each senior executive 
individually before your business case goes to the executive 
committee. Don't skip the CFO. Listen well and incorporate what you 
hear into the document. Now you're ready to take the business case to 
the executive committee. 

Follow this formula, and your next problem will be figuring out how to 
spend the money. 

Lewis, former CIO at InterContinental Hotels Group PLC, is head of The 
Edge Consulting Group LLC in Atlanta. He can be contacted at 
edgeconsulting () bellsouth net. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.