How to Justify Security Investment

In March of 2009 I was the speaker at a SIM Meeting in Dallas. In the Q&A at the end, a young security manager asked me a question. He said that he has succeeded in making his company’s infrastructure good enough that they have no problems with security breaches, data leaks, viruses, or any of the other security issues that plague many companies. Now the security manager is having increasing difficulty in justifying additional infrastructure investment in the area of security. He knows that continued investment is necessary — the bad guys get better all the time — but his business customers feel that their security problems are solved. He asked me what he should do about this.

I’ve been pondering this question off and on for the last several months. Then I was reading a book, Brimstone by Robert B. Parker, and I ran across the following words: “safe is more how you feel than how things are … Safe and not safe is mostly in your head.”

Three Different Parts to the Question

When I read those words it struck me: There are three different things going on with the security manager’s question. First, there is the issue of making your business customers feel secure. Clearly, the Dallas security manager has been very successful on this front. Second, there is the issue of actually implementing an infrastructure that provides a reasonable level of security for the amount of money the company is willing to invest. The Dallas security manager seems to be successful in this area as well. Third, there is the challenge of recommending the right level of infrastructure security investment and getting agreement from the business. And that’s what seems to be at the crux of the problem.

You Can’t Eliminate Risk — Only Mitigate It

In June of 2008 I wrote an article entitled “3 Things Your CEO Wants to Know.” Two of the three things were these questions:

How do we stand versus competition?

How do we mitigate risk?

I won’t repeat the text of that article here, but one of the key messages in the article was the idea that businesses can’t hope to eliminate risk — only mitigate it. It’s similar to the idea of Secret 6 in my book: “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure. So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.

Four Guidelines for Determining the Right Level of Security Investment

So how do you recommend the “right” level of security investment? I think you should use these guidelines:

What are other companies doing who have a similar risk tolerance to your company? That might be your direct competitors, or companies in the same industry, or companies in the same broad category (e.g., financial services or consumer products or industrial suppliers). These are the companies who you will be compared to if you have a security breach, so your security level needs to be at least as good as these other companies. Does your company deal with confidential information from your customers? Medical history? Credit card numbers? Payroll or investment information? Personal details of their lives? Extra security should be implemented to protect this valuable customer information. Government regulations may require it, but it makes sense even without government regulations. Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance? If you want to be viewed by customers as “more trusted” than your competition, then you need to take increased security measures to justify that view. Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed? This information could be secret designs, secret formulas, or even the contents of a proprietary marketing database. If your company’s competitive advantage depends on the secrecy of this information, then your security investment level should reflect the need for increased protection for that confidential company information.

Good Security is Invisible

It’s difficult to justify security when it’s working. The biggest investments in security usually come right after a security breach — one in the news or a breach in your own company’s security. Many aspects of IT are like that — they’re unnoticed, unrewarded and invisible until something goes wrong. It’s human nature to ignore the things that are working and to focus instead on the tasks that need to be done.

This is where trust comes in. If things are going well then your boss has to trust that you’re doing a good job, and has to trust your recommendations for doing a better job.

But trust has to be earned, and even trust has its limits during tough economic times. You may be recommending the right things, but you have to be able to convince others that your right things are a more important investment for the company than someone else’s right things.

Making People Dissatisfied is the Only Way to Justify Investment

In my first newsletter article in April, 2003, I wrote about the three things required to get a person to change. The first one is dissatisfaction with the status quo, and that’s the one that’s most important when you’re trying to sell security investment. To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.

You can do this by:

Providing a factual comparison of your security infrastructure to the infrastructure used by other comparable companies, pointing out the areas where these other companies are stronger and better Making the case for increased security for your business due to the company’s unique security needs, including any security needs required by government regulation Helping business executives to visualize what the cost of a security breach might be

Conclusion

A security manager has five strategic roles:

Recommend the right level of security investment, and get your business customers to invest at that required level

Implement an infrastructure that provides a reasonable level of security for the amount of money the company is willing to invest

Figure out how to refine the processes and products used in your infrastructure to optimize their performance and reduce their cost

Determine how you’ll respond when there is a security breach, and prepare for that possibility

Make your business customers feel secure

To be successful as a security manager you have to be successful at all five strategic roles. There is no “right” amount of money to spend on security infrastructure — or any other type of infrastructure. You have to fight your way out of invisibility to show the business the risk of having an inadequate security infrastructure. And you have to make the case to justify the level of spending that you think your company needs.

So let me revise the wording on that last strategic role. It should say:

Make your business customers feel secure — but only if you think that feeling is justified

If you don’t think the business is secure enough, then it’s up to you to make sure they know it.

Related Articles:

Acknowledgement

Thanks to Scot Miller for his interesting question and for his insightful comments on a draft of this article. But just in case I’ve accidentally misrepresented something Scot said, let me point out that the views expressed in this article are my own and may not reflect Scot’s views or the views of his employer.