The Business Case for Information Security: Getting Your Security Budget Approved
Information systems security It is very vital in today’s businesses, in order to curb the many cyber threats against information assets. Despite the good arguments put forward by the information security managers, the Board of Directors and the Top Management of the Organizations, they may still take time to approve information security budgets, visas and other items, such as marketing and promotion, that they believe they have a higher return on investment. Investment (ROI). So how can you, as the Director of Information Security (CISO) / IT / Information Systems Manager, convince the Administration or the Board of the need to invest in information security?
I once had a conversation with an IT manager at one of the large regional financial institutions, who shared his experience on approving an information security budget. The IT department was fighting with Marketing over some funds that had been made available thanks to savings in the annual budget. “You see, if we invest in this marketing campaign, the target market segment will not only help us meet and exceed the numbers, but also estimates show that we could more than double our loan portfolio.” the marketing people argued. On the other hand, IT’s argument was that “By being proactive in acquiring a more robust Intrusion Prevention System (IPS), security incidents will be reduced.” Management decided to allocate the additional funds to marketing. IT people then wondered what they had done wrong, what the marketing people had done right! So how do you ensure you get budget approval for your information security project?
It is vital that management appreciates the consequences of inaction when it comes to company security, if a breach occurs, not only will the organization suffer loss of reputation and customers, due to reduced trust in the brand, but also a violation could lead to loss of revenue and even legal action against the organization, situations in which good marketing campaigns might not redeem your organization.
We try to address the main points that management could raise against investing in information security.
1. Information security solutions tend to be expensive, where are the tangible benefits?
The overall goal of any organization is to create / add value for shareholders or stakeholders. Can you quantify the benefits of the countermeasure you want to purchase? What indicators are you using to justify that investment in information security? Does your argument in favor of a countermeasure align with the overall objectives of the Organization? How do you justify that your action will help the organization achieve its goals and increase shareholder / stakeholder value? For example, if your organization has prioritized customer acquisition and customer retention, how does purchasing your proposed information security solution help you achieve that goal?
2. Isn’t the countermeasure an isolated or panic reaction to a recent regulatory requirement or audit inquiry?
The vast majority of information security projects could be driven by external regulations or compliance requirements, or could be a reaction to a recent inquiry from external auditors or even as a result of a recent breach in systems. For example, a “financial regulator could require all financial institutions to implement an IT vulnerability assessment tool.” Therefore, the organization must comply at any cost or face penalties. While it is necessary to meet these regulatory requirements, simply plug the holes and “? fighting the? fires” approach are not sustainable. Implementing process change in isolation could result in a siled work environment, conflicting information and terminology, disparate technology, and a disconnect from business strategy. 
Uncoordinated reactions to specific regulatory requirements can lead to implementing solutions that are not aligned with the organization’s business strategy. Therefore, to overcome this problem and gain funding approval and management support, your argument and business case must show how the solutions you intend to acquire fit into the big picture and how this aligns with the overall goal of secure assets in the organization.
What are the costs, implications and impact of doing nothing?
You must communicate to management the basic business value of the solution you want to purchase. It will start by showing / calculating the current cost, implications and impact of doing nothing; if the countermeasure you want to obtain is not in place. You could classify these as:
Direct cost – the cost incurred by the organization for not having the solution in place.
Indirect cost – the amount of time, effort and other organizational resources that could be wasted.
Opportunity cost – the cost resulting from lost business opportunities, if your proposed security solution or service was not in place and how that could affect the reputation and goodwill of the organization.
You can use the following tips and explain them further:
• What regulatory fines for non-compliance does the organization face?
• What is the impact of business interruption and productivity losses?
• How will the organization, its brand or reputation be affected which could result in huge financial losses?
• What losses occur due to poor business risk management?
• What losses do we face attributed to fraud: external or internal?
• What are the costs that are spent on the people involved in mitigating risks that would otherwise be reduced by implementing the countermeasure?
• How will the loss of data, which is a great business asset, affect our operations and what is the real cost of recovering from such a disaster?
• What is the legal implication of any breach as a result of our inaction?
How does the proposed solution reduce costs and increase business value?
Then you will need to show how your proposed countermeasure will lower costs and increase business value. Again, I could explain more about the following areas:
• Show how increasing the efficiency and productivity of implementing the countermeasure will benefit the organization.
• Quantify how reducing downtime will increase business productivity.
• Show how being proactive could reduce IT assessment and audit costs.
• Quantify the cost reduction that would otherwise be associated with internal audits, third-party audits, and technology.
According to a 2011 investigation conducted by the Ponemon Institute Y Tripwire, Inc., business interruption and productivity losses were found to be the most costly consequences of non-compliance. On average, the cost of non-compliance is 2.65 times the cost of compliance for the 46 organizations that were sampled. With the exception of two cases, the cost of non-compliance exceeded the cost of compliance.. What it means to invest in information security to protect information assets and meet regulatory requirements is actually cheaper and reduces costs, compared to not implementing countermeasures.
Get support from the various business units of the organization.
A good budget proposal must have the support of the other business units of the organization. For example, I suggested to the IT manager mentioned above that I probably should have talked to Marketing and explained to them how a reliable and secure network would make it easier for them to market with confidence, IT probably would have had no competition for budget. I don’t think marketers would like to stand up to customers, when there are potential unreliable service questions, system violations, and downtime. Therefore, you need to make sure that you have the support of all the other business units and explain to them how the proposed solution could make their lives easier.
Create relationship with management / Board, even for future budget approvals, you will need to publish and provide reports to management on the number of network anomalies that the intrusion detection system you recently purchased eg found in a week , the current patch cycle time and how long the system has been running without interruptions. Reducing downtime will mean you’ve done your job. This approach will show management that there is, for example, an indirect reduction in the cost of insurance based on the value of the policies needed to protect business continuity and information assets.
Obtaining budget approval for your information security project shouldn’t be a huge challenge, if one were to address the main issue of adding value. The main question to ask yourself is how your proposed solution improves the bottom line. What the Management / Board requires is a guarantee that the proposed solution will produce real long-term business value and that it is aligned with the overall objectives of the organization.
1. Thomson Reuters Accelus, BUILDING A BUSINESS CASE FOR GOVERNANCE, RISK AND COMPLIANCE, 2010.
2. Ponemon Institute, The true cost of compliance, 2011.