Enterprise information security chiefs could boost their chances of getting the funding they need by emulating sales and marketing budgeting practices, a security industry expert believes.
Calling on actual and projected performance figures – a technique common to other parts of the enterprise – when profiling IT security's contribution to corporate success would convey a better understanding of the role it plays in safeguarding business operations, according to Sol Cates, chief security officer at security solutions provider Vormetric.
Speaking at the Infosecurity Europe conference in London this week, Cates argued that challenging funding requests by casting IT security mainly as a cost-centre could be overturned by presenting its relevance in the same way as sales staff set financial targets and market share projections, for instance.
“Organisations are increasingly asking, 'Are we seeing a return on our security investments?'” Cates said. “It's actually time that security is viewed as a quantifiable business enabler. IT security is no longer a tax on the business, it's now an enabler of costs savings and competitive advantage.”
One of the ways that enterprise security leaders could communicate their contribution to corporate financial stability would be to model the likely adverse outcomes a data breach would have on an organisation, Cates said: “The IT security function would benefit from being more open and disclosive about the nature of threats that are targeting an organisation and by evaluating how well it can expect to perform protecting assets against those threats going forward”.
He added: “Other enterprise functions routinely present to the rest of the organisation about projected sales, possible risks and market conditions that might affect future performance. IT security activities could be presented in much the same way, highlighting success rates against cyber-attacks and the resulting benefit to the running of the business.”
Security models could classify the risks into tangible and intangible costs, Cates explained. “Tangible costs could be an item of data such as a patient record in the healthcare sector,” he says. “For example, the dark market rate for patient records is about $200 each, so that sets a baseline market value on any stolen data.” Other tangible risk costs could include reputational harm, damage to business relationships and revenue drops due to lost customers.
From a US perspective, intangible costs include class-action lawsuits mounted by affected customers or legal penalties resulting from data security regulatory compliance failures. “Most enterprises use modelling tools to fine-tune future financial performance and such modelling could also help formulate and analyse cyber-security strategy,” Cates said.
“Making enterprise security performance specifics more visible to other parts of an organisation would place it as an integral part of the company structure and also remind all staff that security effectiveness is a shared responsibility.”