Justifying security spend in tough times is a hard sell. So, avoid complex ROI arguments, focus on risk and steer clear of jargon. By Rob Buckley.
Proving security's worth is not always the easiest job. Once you've invested in systems, trained staff, secured the perimeter, secured the interior, put in monitoring and maintenance programmes, chosen what, if anything, to outsource, run penetration tests and more, what's the result? No-one gives out their password on the phone, catches a virus on their PC, leaves unencrypted data on the train or suffers any kind of a security breach. If all goes right, nothing happens.
Come the next budget round, though, the idea of giving money to a function that doesn't seem to produce any visible results may seem less palatable to the board than giving money to the sales department – particularly as the credit crunch makes cutbacks inevitable. So how should the information security head go about making the case for investing in security? And as those cutbacks start to bite, how can he or she make the money that is available go further?
As many CSOs have discovered, rather than talking ‘techie', using the same language as the rest of the business pays dividends. That might mean discussing return on investment (ROI) – or even ‘return on security investment' (ROSI) – but that approach has pitfalls.
“Use the right language,” says Nick Seaver, a director in Deloitte's security practice. “I do see ROSI used in place of ROI, but the reaction from FDs and CEOs is often bewilderment that it's not just called ROI. Marketing and production call it ROI, not ROMI or ROPI. Using ROSI outside the security community risks losing credibility.
“ROI is notoriously difficult to use accurately in risk-reduction efforts and serves to undermine your case.”
Seaver points to risk management and marketing functions in organisations, both of which have the same challenges in justifying investment but which don't tend to use ROI to do so.
Although the temptation to attempt to produce ROI figures can be great, finding the data to create them can be hard, as can finding a useful methodology. Adrian Davis, senior research consultant for the Information Security Forum, has been working on approaches more applicable to the security industry than standard ROI. “Applying ROSI in an organisation is difficult,” he says. “Without clear guidance from published sources, security professionals may struggle in understanding when and where to use ROSI. Should ROSI be used for demonstrating the benefits of security in an organisation, or just the benefits of installing an integrated security gateway? Calculating ROSI is problematic.
“The various calculation methods are complex and inconsistent, meaning that it is difficult to compare the results from two different calculations. Many ROSI approaches are data-driven, but much of this data is often lacking in both the public domain and within organisations. The data that is publicly available is often regarded as unreliable and lacking insight and it is often collected with little rigour or consistency,” he says.
Seaver says he has even seen some CSOs attempt to use Monte Carlo simulations (algorithms that rely on repeated random sampling) to compute their results to calculate ROI. “Unless you know how to use these tools and are sure your assumptions and data will stand up to challenge, the more complex the tools you use, the more your assumptions and data will be challenged. ‘Viruses or spam stopped' might be statistically robust, but ‘total cost of security incidents in the UK economy' isn't.”
Concentrating on ROI and hard figures can even skew investment away from needed projects to ones more quantifiable but less necessary.
While it can be done – and Davis has developed a methodology and tools for Information Security Forum members to use – a potentially more applicable approach is risk to the business.
“Defining risks up-front and working risk-based is the best approach to please everyone – or at least most of them,” argues Martin Kuppinger, founder of analyst company Kuppinger Cole. By defining risks to the business and the potential problems they can cause if not protected against, the CSO will find it far easier to speak in terms the board can understand and to get its backing.
The risk profile will vary from organisation to organisation and industry to industry, according to Floris van den Dool, head of security for EMEA at Accenture. Some risks can be relatively easy to determine, provided the organisation has been monitoring and recording metrics for things like attempted attacks. Picking the right metric can be vital. For example, it is as important to measure outputs as it is inputs, with changes in user behaviour or levels of awareness telling more than the number of hours of training delivered or number of communications.
The move away from best-of-breed security appliances has helped with this, since most integrated solutions provide suites of reporting tools that can provide a more integrated look at security risks than simple log tools. The increasing emphasis on compliance, now lumped together with other legal requirements as ‘IT GRC' (information technology – governance, risk and compliance), means that there are software suites designed to monitor the enterprise's performance in these areas as well, that can also give a higher-level overview of risks.
Once you have worked out the risks, working out the best way to mitigate those risks in a way that is compatible with the business's processes is the next step. Not only does that ensure easier adoption and greater co-operation from the rest of the business during implementation, it gives the security function greater visibility within the business, meaning security is less likely to be seen as a ‘black box' or a burden. By taking this overall view of risk, security projects are also far more likely to succeed, Kuppinger argues. “From our experience, most money is wasted because the scope of the investment is too limited – people just address a small problem without a holistic view.”
Having determined what projects are needed, ISF's Davis says that the next step is to approach the CFO. “If the CFO approves, you're winning half the battle of getting the business on board.” To do that, Davis suggests going to the CFO with the information necessary and asking him or her the best way to present it. “Don't go in with an information security initiative,” he warns. Instead, discussions of risk are the best way forward. With most of the business focused on reducing both costs and problems to close to zero, Davis says that talking of a non-incident rate growing to 95 per cent is less helpful than discussion of getting the incident rate down to five per cent – something particularly important when there are no ROI figures.
Seaver warns of focusing too much on those zeros, however. “If you're measuring cost per security training hours delivered, people may try to reduce the ‘cost per hour' – but this is probably not what you're trying to achieve.”
Again, avoiding technical phrasing is key. Often, pointing simply to loss of reputation is as effective as numbers, and the MoD and other branches of government, as well as many major companies, are often extremely helpful in providing headlines about data losses that help to focus boards' minds on potential results of under-investment in security. If talking in business terms to the rest of the business is problematic for a CSO, training is available. Indeed, CSOs who go on MBA courses to learn to ‘talk business' often find that not only can that mean they do their own job better, they often end up doing the job of someone else higher in the company later on in their career.
It is then up to the board to decide where to invest. But if it has had a clear profile of the risks and decided which risks it is willing to tolerate, the buck no longer stops with security if there's a breach in an area where the board was unwilling to invest. If the demands from security are purely in terms of technology, the waters are muddier.
And if the board doesn't give quite enough to make the approved projects realisable, making the money that is available spread even further is also an art and can involve some lateral thinking. Davis suggests teaming with other departments to get certain projects onto their books if necessary – if the CSO can demonstrate that a project is necessary to ensuring their projects are successful. This will also make the chances of the project succeeding even greater. Almost every CSO would like to have enough staff and budget to run every aspect of security in-house. However, few have that luxury and Accenture's van den Dool says that outsourcing parts of security that cannot be handled in-house is a proven way of saving money.
Not all outsourcers are created equal, however, and getting the most from a contract and an outsourcer can be something of an art. Chris Coulter, a partner at law firm Morrison and Foerster, says that there are various strategies that can be employed, although trying to do too much ‘hardball' negotiating can lead to problems. “I remember a deal I did a few years ago that should have been straightforward. But there was a lack of trust on both sides.” The customer was unwilling to share data and the vendor upped the prices in case the customer was hiding problems – which it wasn't.
Instead, most savings are made in the long term. Clarifying whether licence costs are per seat, per year or over a department can avoid steep costs down the line in a vendor contract – as can the option to cancel maintenance costs later on. Benchmarking ensures outsourcers provide what is being asked of them. However, Coulter says that the contract must specify what is benchmarked and who will do the benchmarking. If it doesn't, many outsourcers will regard this as a gift. “It'll never end up being agreed” once the outsourcing is actually under way, Coulter says.
The fact that the economy is also in recession means that existing agreements with vendors and outsourcers can also be renegotiated if necessary, Coulter adds.
Security spending is rarely something that can be justified using simple ROI investments. It is far easier to justify in terms of mitigating risk. By prioritising those risks, budgets can be negotiated more easily and made to spread further, but only if it's expressed in a way the rest of the business can understand.
CSOs can anticipate the risks of many events, but the near-collapse of the world's banking system probably wasn't on many threat lists. The initial reaction is that a recession means security spend will be cut, but others argue that while businesses will cut expenditure, security will survive since it's one area where there cannot be compromise.
Khalid Kark, an analyst for Forrester Research, says the answer will depend on the industry. “CSOs for financial services companies have seen their budgets cut pretty extensively. In other industries, I see a slow down.” But CSOs are mainly holding off on projects while they wait for the dust to settle. “Before this crisis, we surveyed security spending. It was going to increase from eight per cent of the IT budget to 10 per cent in 2009. That's going to be dampened a little bit, but I suspect there is still going to be an increase.”
The reason is the cyclical nature of security spending, says Kark. Typically, there will be a period of increased spending on security technology, followed by a period of digestion, then more spending. The last two years, says Kark, have seen that ‘digestion' period, so he predicts increased investment next year, on operational efficiency, and integrating existing sets of tools and technologies.
Adrian Davis, senior research consultant for the Information Security Forum, says security spend will need to be maintained in specific areas: as recession bites, there will be staff churn, more internal fraud and more disgruntled employees.
But spending also needs to be maintained for when recession stops. “Now is the time to look at technology as an enabler for the business to move forward after recession,” says Davis. He envisions small projects with security acting as an enabler. “Businesses want suppliers and customers to come in but not cause harm. They need to put in the tech so suppliers can hook up and know they can get orders.”
Gartner analyst Tom Scholtz says that security budgets won't be exempt. “Security officers should proactively risk-assess their planned project portfolio and identify projects that can be postponed with limited impact. Opportunities for cost cutting should be identified.”
But any cuts to security will increase risk – and managers need to agree that this is acceptable, purely to achieve short-term cost-cutting goals.
Developing a budget and justifying expenditure on security is something Jason Petrucci has considerable experience with. After working in various corporate law firms as well as PricewaterhouseCoopers, he has been director of information technology for corporate law firm Lawrence Graham for 18 months.
“When I arrived, I performed my own ISO 20001 assessment of the firm and then brought in various companies to do some analysis work for me,” he says. “It became apparent very quickly that we had a number of risks, not only from the IT security perspective but operationally as well. So we set about the task of identifying those risks and putting a plan together to mitigate them.”
Petrucci joined the firm after the budget for the year had already been approved, so at first had to work with the money available. After identifying through his audit what projects he deemed necessary, he prioritised them. “We've never had a structured budget process in place: there's been no justification around expenditure. What I went about doing was looking at the business in terms of where it wanted to go for strategy, identifying particular areas of need, particularly in terms of client communication and services, then putting together a strategy for the business.”
Petrucci says that it was critical for him to understand the business, how its lawyers operate and then find technical solutions that fitted their way of working. He focused on three areas: the lack of security skills in-house, which prompted him to propose outsourcing various functions to managed services provider Vistorm; training, to raise the level of in-house skills; and introducing secure remote access technologies to enable lawyers to work while travelling.
Petrucci then had to justify his investments to the managing partner. “If I were reporting into a COO-type function, I might have put together a risk matrix. But from experience, if you start to describe solutions for the business in technical speak, you lose people in the first two or three minutes. I put together a very short paper on the current status and the risk associated with the way we operated. Then I sat down the managing partner and explained the risks. I compared us to what our peers do and showed that we were behind the times. It isn't an ROI model: it's about reputation and risks.”