Guest Article from iSiegel Consulting: Justifying the Spend on IT Security
Companies that underfund security intiatives wind up undermining a company’s ability to protect its information assets. The results can be catastrophic. IT leaders and CFOs need to understand the severity of the situation, specifically what the risks are and most importantly, how to present the business value of making the investment to upper management (CEO and board memebers). Here’s what’s to be done.
Upper management can easily come up with a hundred reasons not to properly fund security initiatives. And when they do fund they may not be investing wisely. Often the decision not to fund occurs when the executives lack adequate information to make an investment.
The best strategy is to consider Security as part of Risk Management. The strength of the argument on whether or not to fund rests on determining what the risk is to the organization, what losses can be incurred from the risk and how much it will cost to mitigate that risk. With this information upper management can decide whether it is worth the expenditure. What may shock the CFO is the degree of risk his company is facing. There is no need to exaggerate here. The risk most companies face is substantial enough to get the attention of the CFO.
Company executives will feel more comfortable investing in security when the business case and financial terms are solid and upper management is given choices of security strategies and investments to compare. Once funded, reporting strategies and regular statuses to upper management that are informative and clearly stated build credibility are necessary.
Identifying security problems
Fortunately the tools, such as intrusion detection systems and firewall logs, are readily available, and can determine where security problems already exist in your organization. These tools produce a mountain of data and can provide excellent supporting evidence for many security investment decisions.
The downside to using these tools to collect and assess network and system data is that they require a serious commitment in both time and effort. However, you will find the effort is well worth it as hard data makes the most compelling case for security investments.
Including in your deliverables a status report on how well things have gone is the last major step that upper management needs. Good communication is key. Measuring success or lack of it and making clear to management how success will be measured is important. A no nonsense semi-annual report is a great way to build credibility. Executives will then know which investments are paying off and which are not and should be cut back. This report is a great way to gain the respect of C level executives and their support for future projects.
Who we are
iSiegel Consulting is a technology firm made up of senior IT executives. We provide services to CFOs and upper management who have need for immediate solutions that improve performance, reduce spend and increase operational efficiency. We commonly work with CEOs, CFOs and Board of Directors of small to medium sized companies.
We principally focus on three technology challenges: Cyber Security; Budget/Project Management; and Compliance and Governance Design. Our teams of CIOS, CTOs and senior admins find solutions to the most demanding operational and organizational challenges facing organizations. More about us at http://isiegelconsult.com