The Business Case for Information Security

Transcription

1 The Business Case for Information Security An Internet Security Systems Whitepaper Table of Contents A Call to Action for Corporate Executives... the world has changed 2 Business Case Background 4 Back to Basics 5 The Enterprise Procurement Process 9 By Doug Lewis, Senior Partner and Founder of The Edge Consulting Group

2 Call to Action for Corporate Executives the world has changed Over the past few years, the risk of cyber attacks has drawn increased attention from elected offi cials and corporations. High profi le computer breaches have resulted in embarrassing media coverage. In addition, governments have enacted new regulations aimed at protecting the confi dentiality and integrity of individuals private data. These regulations hold senior management and boards of directors accountable for compliance with key security and privacy measures. Information security defenses are becoming more sophisticated pushing buying decisions from the data center to the Boardroom, from the security director to the CEO. Senior executives are compelled to ask themselves How safe is my company? How do I know? What else should I be doing? How do I justify additional security investments? They re looking for a business case for an enterprise information security solution and not just one-off, best-of-breed point solutions implemented in the past. The importance of information security products and services is driving an increasing number of senior executives to get involved in the decision-making process for their procurement. There are many Executive-Level drivers for information security. They may be regulatory, contractual, or risk-related. Internet Security Systems (ISS) recognizes that selling solutions exclusively into the IT department does not capture the full value that these solutions bring within the context of overall risk management. By developing a strategy and a set of tools to reach additional senior managers, ISS has improved the visibility of information security products and services and demonstrated their effectiveness in resolving key business issues. The responsibility for discrete product decision-making has traditionally been that of the manager/director of the information technology infrastructure operation and/or its security. The decision to buy managed security services, however, is often elevated to the CIO or a CIO s direct report due to two factors. First, the expenditure level exceeds that which can be accommodated within normal data center budgets and requires CIO signature authority. Secondly, the impact of managed security services spills over traditional data center boundaries into network operations and application development and maintenance. As managed 2

3 security services continue to evolve, the decision responsibility will rise to CEO/ CFO/Board levels with a corresponding increase in justification requirements necessary to make a sound decision. Funding sources have also evolved with the sophistication (and resulting benefits) of information security offerings. Justifications for security investments at the business unit and enterprise levels compete head-to-head with other business proposals showing in-year positive return-on-investment (ROI). Often, the task of preparing these economic justifications falls to technology professionals who may not have the background, time, or staff required to prepare and sell a winning proposal at the executive level. The purpose of this white paper is to provide some tools that present information security in terms that a non-technical executive can understand. These tools have been developed in collaboration with dozens of executives at some of the largest corporations in North America. By design, complex concepts are presented in a simple, straight forward manner. 3

4 Business Case Background To construct a credible business case for information security, it s helpful to look at some data that explains the senior executive s role in the IT buying process. The next chart compares the involvement of top management, middle management and technical staff throughout the various phases of the IT buying process. The statistics are based on the U.S. market. Note that top management is highly involved at the beginning and end of the IT buying process when a vendor is selected. IT professionals are mainly involved in the middle of the decision making process when various vendors technical features and functionality are compared. In reality, many IT buying decisions are (quietly) made at the beginning of the sales cycle on the basis of a trusted advisor relationship. The rest of the process is designed to meet the (very necessary) requirements of the enterprise procurement process. The accompanying pie chart illustrates another way of looking at the same data. It further emphasizes the critical role played by top management in the decisionmaking process. 4

5 Back to Basics To prepare a compelling business case for the executive suite, you need concepts, visuals and tools that align with the CXO s view of the world. In this environment, decision makers are executives that need to understand the business (rather than the technical) reasons for moving forward with your proposal. A CIO s View of Their World The CXO may have a very different worldview of an enterprise s technical infrastructure. Your view may be more technical and complex than that of most business executives. Even enterprise-level CIOs think about their company in business terms and not in the language of the security technologist. The Onion Diagram, shown here, represents a common CIO view of IT infrastructure. Other executives within the enterprise are likely to share this view because the CIO has used it over and over in company presentations. Critical data resides at the center in ring 1 and includes customer information, fi nancial information, employee information, proprietary designs, intellectual property, etc. The second ring represents the company s applications, many of which are mission critical, as they are at the heart of the company s day-to-day business operations. The third ring is the company s internal network. This represents building or campus LANs (local area networks) located behind the company s fi rewalls. The fourth ring includes internal users that are connected to the internal network behind the fi rewalls. They are followed by the external company networks, the WANs, that connect remote offi ces and traveling executives in ring 5. Ring 6 includes e-linked business partners and the company s customers. This diagram is important. It plays a big part in explaining how the products and services in your proposal meet executive-level drivers for information security as well as generating a positive return on your company s investment. 5

6 An Executive s View of Security Investment vs. Effectiveness Tom Noonan, the chairman and CEO of Internet Security Systems, conducts discussions with CEOs, CFOs, CIOs and Chief Information Security Offi cers (CISOs) around the world. In every meeting, he encounters two lines of questioning. The fi rst set of questions are about understanding and measuring a company s current protection level. How protected is my company? Am I doing the right things? How do I know? What metrics should I use? The second set of questions is about understanding and correcting a company s vulnerabilities. What else should I be doing? How do I get there? How do I justify the cost to get there? The relationship between Security Investment and Security Effectiveness illustrated below is an excellent way for non-technical business executives to understand the need to invest in information security. The diagram can initiate a business discussion and aids companies in striking a balance between their current protection level and their degree of vulnerability. An even richer discussion is what that balance might look like one, two or three years down the road. The diagram relates security spending to security effectiveness along a Security Curve, or S-Curve. Note that every company has its own S-curve, with a unique slope that is based upon the company s circumstances such as industry, size, etc. For discussion purposes, we ll use one S-Curve to analyze several companies. The Prudent Zone depicted in this diagram moves to the left or to the right according to a company s risk profi le. The Prudent Zone shifts to the right for companies in a high-risk business (credit card processing) and shifts to the left for companies in a lower risk business (low tech manufacturing). 6

7 A position to the left of a company s Prudent Zone and below its S-Curve (Point A) represents a common situation where money has been spent on information security, but signifi cant vulnerabilities exist and critical data assets are still highly susceptible to a successful attack. An excellent analogy for the security investment versus effectiveness relationship is a castle and its moat. Until the moat completely encircles the castle, there isn t any meaningful protection. Companies positioned to the left of their Prudent Zone are exposed to serious security breaches and should consider a comprehensive security assessment and remediation proposal. Informed senior executives should not focus on an incremental cost reduction or simple optimization of their security environment. As an example, a hospital vulnerable to private patient data disclosure should be far more interested in avoiding landmark lawsuits over patient data privacy, than in shaving 10 percent off the current security budget. Their security budget will, most likely, increase over time in an effort to protect individuals private healthcare information and comply with the latest regulations. On the other hand, if too much money is spent chasing a myriad of expensive-tomaintain, best-of-breed information security point solutions to protect against every possible exposure, the company has failed to optimize its security investment. This is a case of the castle moat being unnecessarily wide and deep. As a company s position on its S-Curve moves up and to the right, the slope of the curve sharply increases. At this point on the curve, only minimal improvements in security effectiveness can be obtained from disproportionately large security investments. In this case, the company is positioned to the right of their Prudent Zone and above the S-Curve (Point B). Note that senior executives in companies positioned within or to the right of their Prudent Zone will probably not think of themselves as exposed to catastrophic breaches and may be primarily interested in a proposal offering a total cost of ownership (TCO) reduction or an optimization of their security environment. As an example, banks are highly regulated with regard to information security. Frequent audits ensure compliance with mandated security provisions. For banks located on the far right of their Prudent Zone, increased security spending has a diminishing effect on security effectiveness. Such banks will be far more interested in a proposal maintaining the current level of security for fewer dollars or marginally increasing their overall security effectiveness while maintaining their current spending level. The ideal spot for a company is on the S-Curve and in the Prudent Zone for the company s risk profi le (Point C). This position represents a good combination of investment and protection and is achieved when business discussions take place about how wide and how deep the moat needs to be to most effectively protect the treasure that s in the castle. 7

8 Finding a Company s Position on the S-Curve To over-simplify the executive decision process for information security, there are fi ve important questions to ask and two potential courses of action to consider. The fi ve important questions that an executive decision maker should ask are: 1. How effectively are independent audits conducted? 2. Has an independent security risk assessment been performed in the last year? 3. Has the Board received a recent report on the status of information security? 4. Am I comfortable with the security of the company s critical data assets? Private individual data Customer account information R&D / product design specifi cations Strategic business plans 5. Do we have enough qualifi ed staff to keep up with the pace of change? The two potential courses of action are: (1) Do what you are doing more cost effectively or (2) Do an information security assessment, outline your options, and establish a plan. An Information Security Assessment (ISA) is a commonly used service that provides answers to an executive s information security questions. An ISA also provides the requisite information for a security professional to construct an action plan to move from their current position on the S-Curve into the Prudent Zone for their respective vertical, representing effective security at a reasonable cost. 8

9 The Enterprise Procurement Process If you are interested in moving an information security project through a large enterprise you need to understand the procurement process and how it works. Large companies thrive on leveraging their size to blanket markets with product, marketing, and sales. Big companies swing a Big Bat their ability to invest massive amounts of capital. The CEO and the Board of Directors must ensure the funding behind the Big Bat is swung at the right pitches, not misdirected, and not stolen. Such companies use controls and separation of authority to ensure the company s capital is best applied to projects that generate a return for their shareholders. The bigger the capital initiative, the more controls and decision makers will be applied. These controls and separation of authority can look like unnecessary red tape, but they have a very benefi cial effect. Unless there is a strong, determined, and articulate advocate for a large capital initiative, it will die entangled in a web of red tape. Why is this benefi cial? Aren t valid capital initiatives, at times, left unfunded because the sponsor couldn t put two words together without confusing the audience? In truth, unless the sponsor is strong enough and articulate enough to get through the red tape, the project will not be pushed through to a successful completion. In other words, companies prefer weakly driven projects to die before money is wasted. Typically, a signifi cant security investment originates with the CISO and quickly moves to the CIO s offi ce. The CIO may then involve purchasing, legal, fi nance, and sometimes human resources to draft the request for funding and to participate in the initiative. The CIO s staff will handle the technical evaluation and the assessments. Purchasing will negotiate the terms, conditions, and pricing, and ultimately issue the purchase order. Legal will ensure the contract meets the company s contractual requirements. Finance will ensure the project meets a set of minimum requirements such as a hurdle rate for the ROI. This is the lowest ROI acceptable to the company. Since most large companies encourage multi-sourced deals, there will probably be a requirement for either a side-by-side comparison of competing solutions or a very strong justifi cation for sole sourcing a deal. Once the early negotiations, fact-fi nding, and competitive evaluations are completed, and the spending request is drafted, the company moves into the decision making process. A smart CIO will have been socializing the project with the stakeholders and decision makers long before this point. A typical decision process in a large company involves getting a signoff on the spending request from at least one senior executive. Presentations to these decision makers must be easily and quickly understood. Executives have innumerable funding requests and projects coming at them every day. They must be (painlessly) informed on the need for the project, what s been done thus far, who s been involved, and the business benefi ts expected to result from project completion. 9

10 Pulling the Business Proposal Together In addition to effective executive-level presentations, nearly all companies require written justifi cation for their investments once they exceed a certain dollar amount. Usually, the company requires more detail in the justifi cation as the level of the investment increases and/or as the sensitivity of the issue escalates. A small investment may require only a few pages while a large investment may require extensive descriptions of the project and detailed fi nancial analyses of the costs and the anticipated returns. An investment affecting an audit committee area will normally be treated as a high dollar investment. The basic justifi cation, however, remains the same for large and small investments. The approvers want to understand what is proposed, what business problem is solved, why should limited funds be allocated to the investment, what other alternatives were considered, why the proposed solution won out, what the up-front cost is, what the total cost of ownership over a period of years is, what the anticipated benefi ts are, and how these benefi ts will actually be realized. Most senior decision makers (CFO, CEO, and CIO) will not have the technical background to grasp the details behind an investment in information security products and services. They seek a justifi cation written in business language they understand backed up with a solid fi nancial analysis. This is where Internet Security Systems can help. Build a Business Case for Information Security within Your Organization Internet Security Systems, with leadership from Doug Lewis, former CIO and founder of The Edge Consulting Group, has developed a series of tools and presentations to help clients build and communicate an executive business case for security. Internet Security Systems will benchmark your organization s security effectiveness against your peers, and ensure your executives are continually updated with actionable information about security that they can understand. Get your information security business case on the path to approval. Contact Internet Security Systems today at to get started. About the Author Doug Lewis is Senior Partner and Founder of The Edge Consulting Group. Lewis has been Chief Information Offi cer at three Fortune 500 companies during the past 15 years. In recognition of his accomplishments, ComputerWorld Magazine named Mr. Lewis to The Premier 100 CIOs in January Lewis specialty is turning around distressed Information Technology departments and creating alignment between Information Technology and business strategy. Prior to founding The Edge Consulting Group, Doug Lewis was Executive Vice President and Chief Information Offi cer for InterContinental Hotels Group, with 3,300 hotels in over 100 countries around the globe. Mr. Lewis also served as Vice President and Chief Information Offi cer for Lucent Technologies, having joined AT&T s Network Systems Group in 1993 as their fi rst CIO. At the newly minted telecommunications giant, he led a group of more than 7,000 professionals and managed a total budget of $1.2 billion. 10

11 Mr. Lewis fi rst CIO appointment was with Pratt & Whitney Aircraft, a Division of United Technologies. He holds a Bachelor of Science degree in Electrical Engineering from Louisiana State University and, a Master of Science degree in Systems Engineering from Southern Methodist University. He has also attended the Summer Executive Program at Harvard Graduate School. About Internet Security Systems, Inc. Internet Security Systems, Inc. (ISS) is the trusted expert to global enterprises and world governments, providing products and services that guarantee protection against Internet threats. An established world leader in security since 1994, ISS delivers proven cost effi ciencies and eliminates regulatory and business risk across the enterprise for more than 11,000 customers worldwide. All ISS products and services are based on the proactive security intelligence conducted by ISS X-Force research and development team the unequivocal world authority in vulnerability and threat research. Through its Proventia products and suite of security services, ISS offers the industry s only protection guarantee. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at Copyright 2004, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems and Proventia are trademarks, and the Internet Security Systems logo a registered trademark, of Internet Security Systems, Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifi cations and content are subject to change without notice. 11