Friday, March 18, 2005

How to Justify Information Security Spending

Click here for AmazonDan Lieberman, writing in Computerworld, has performed yeoman service on a topic near and dear to every CISO's heart: how to justify InfoSec spending to senior management. In interview format, Lieberman asks the reader to answer seven simple questions:

1. Is your digital asset protection spending driven by regulation?

2. Are Gartner white papers a key input for purchasing decisions?

3. Does the information security group work without security win/loss scores?

4. Does your chief security officer meet three to five vendors each day?

5. Is your purchasing cycle for a new product longer than six months?

6. Is your team short on head count, and not implementing new technologies?

7. Has the chief technology officer never personally sold or installed any of the company's products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Lieberman asserts that a strategy boils down to three key points:

  • Strategy: have you clearly decided upon a Business Unit security strategy?

  • Metrics: measure results in terms the business can understand and do so in the context of a security process

  • Marketing: reinforce the message with senior management, using in-field experiences

  • Indeed, the stakes are high. Organized crime is actively infiltrating business networks the world over. The cases you hear about -- such as the hackers who came close to ripping off 220 million Pounds from the Japanese bank Sumitomo Mitsui -- likely pale in comparison to those that have evaded detection.

    In fact, we sporadically hear of an isolated case here and there, where hackers were busted in the midst of an exotic scam. But what about the truly elite blackhats, funded by global organized crime?

    Read the whole thing.

    Dan Lieberman: How to Justify Information Security Spending

    No comments: