One could argue that security initiatives in organizations are often treated differently by senior management than initiatives put forward by other departments. A reason for this special treatment is that security professionals are not providing executive management with financial justifications expected from other departments. In some cases, fear alone of an attack is enough to convince executive management to vote in favor of a significant security investment. However, commensurate with an awareness of the impact network security has on internal controls, members of executive management are increasingly requesting that, as a prerequisite to evaluating a budget request, proper financial justification be provided in the form of a business proposal to substantiate a security initiative. Security financials are beneficial for both IT and executive management, as explained in Table 1.
Table 1: Benefits of Preparing Security Financials and Business Proposals
|Benefits for IT
|Benefits for Management
|Improve the chances that the budget will be approved by substantiating claims with numbers. Potentially, even increase the amount of funds provided for network security.
|"Business-speak" instead of "geek-speak." Executive management often struggles with IT jargon and appreciates when an issue is presented in business terms.
|Prioritize which security initiative among many provides the best return and, therefore, assist security budget allocation to different security projects.
|IT is one of the rare functions within an organization that can snow executive management. Providing financials might not completely reduce the risk, but it forces all parties to do their homework.
|Justify why funds were allocated to a particular project.
|Common methodology to evaluate security business proposals against other proposals.
Security financials, which include costs and savings resulting from a security initiative, are the core element of a security business proposal. The business proposal is the complete package to be presented to executive management: spreadsheets, written report, and slide show. The business proposal should contain:
- Executive Summary
- Purpose of security initiatives
- Business objectives and strategic considerations
- Benefits, challenges, and impact of security initiative
- Architecture and interoperability
- Security Financials, including soft costs and benefits
- Alternatives and recommendations
Senior managers need to understand that network securitys role is to reduce the exposure to risk, and making an investment may not always produce a tangible return, but will protect against a cost occurring. Therefore, the business proposal should outline the tangible financial gain in the form of increased revenues or reduction in costs.
Prior to performing financial investment number crunching to evaluate the benefits of a security initiative, data on the yearly costs and savings of the project should be collected, including
- Total Cost of Ownership
- Single Loss Expectancy
- Annualized Loss Expectancy
- Annualized Rate of Occurrence
- Asset Value
- Exposure Factor
One aspect often neglected by network professionals is the "internal selling" of their proposal. Chances of a project being approved by executive management are significantly increased when the IT manager lobbies to other departments about the value of network security.
Much has been reported on the fogginess of Return on Security Investment (ROSI). Though it might be a less than perfect evaluation method of initiatives, it is still better than no assessment at all.
Security financials provide good insight to the security budget-allocation decision process, but are not a silver bullet. Security financials cant answer the question of what to protect between 1) a potential security breach with a 1% probability of happening producing a $1,000,000 loss, and 2) a potential security breach with a 10% probability of happening producing a $100,000 loss. Here, only your judgment could assess the nuances and prioritize the options.
So, as everything else in life, do your homework and some number crunching, be able to back your recommendations with hard facts, offer a professional business proposal, and especially, use a sound dose of judgment when finalizing you security investment decision.
Happy and safe networking.