Security of information systems is very important in business today , to fight against the many threats of cyber- information resources. Despite good arguments that are made by the directors of information security , the board and senior management in organizations can still brewing approve the budgets of the information security , other items visa marketing and promotion believe they have a better return on investment (ROI). How then, like convincing a chief information security O ? Fficer (RSSI) / IT / Information Manager, Directors or the board of the systems need to invest in information security ?
I once had a conversation with an IT manager for a major ? Regional financial institutions who shared their experience in obtaining an approved safety information budget. The IT department Tüßling with the marketing of some of the funds that were made available savings in the annual budget. " You see, if we invest in this marketing campaign, not only the target market segment and helping to exceed the figures , but estimates suggest it could more than double our loan portfolio. " He argued marketing. On the other hand, is the argument was that " By being proactive in acquiring a system more robust intrusion prevention (IPS ), which is the reduction of security incidents . " On the administration decided to allocate additional funds for marketing. Was then admired what they had done wrong , which corresponded to the marketing people ! So how do you ensure you get the approval of the draft budget for information security ?
It is essential for management to assess the consequences of inaction to ensure the company is concerned, if there was a violation not only of the organization do? I FFER reputation and loss of customers due to the ? Reduction of confi dence in the brand, but also a failure could lead to loss of income and even legal action against the organization, situations where good marketing campaigns may fail to redeem their organization.
We try to deal with the management of important point might oppose investment in information security .
A . Solutions of information security tend to be expensive, where concrete results?
The overall objective of any organization is to create / add value for shareholders and stakeholders. Can you quantify the bene ? Outbreaks against the measure would buy ? What are the measures you use to justify the investment in information security ? Your argument against a measure to align with the overall objectives of the organization, how do you justify your action will help the organization achieve its objectives and increase shareholder value holders / Thurs For example, if the organization has focused on customer acquisition and customer retention , how the acquisition of information security solution you offer help achieve this goal?
Two . Not against panic / isolated from a regulatory requirement or query recent audit ?
The vast majority of information security project could be powered by external regulations and compliance requirements , or it could be a reaction to a recent consultation on the external auditors or due to a recent system failure . For example, a financial regulator ? It may require that all? ? Financial institutions to implement an evaluation of the vulnerability of computers. Therefore, the organization is required to meet all costs subject to penalties . Although the answer to these regulatory requirements is necessary, simply by plugging the holes and "? Fight ? Fire" approach is not viable. Implementation of process change alone could result in a working environment in silos ? Conflicting information and terminology, disparate technology and a lack of connection with the business strategy . [ 1 ]
Uncoordinated reactions to specific regulatory requirements , may result in the implementation of solutions that are not aligned with the business strategy of the organization. Therefore, to solve this problem and obtain the approval of funding and management support , the argument and the business case should show how the solutions that we intend to acquire ? Get into the bigger picture and how this aligns with the overall objective to ensure that the assets of the organization.
What are the cost implications and the impact of doing nothing?
You must inform the management of the business base value of the solution you want. You will begin to show / calculate the current cost , consequences and the impact of doing nothing, and if you wish to purchase the cons - is not in place. You can classify them as follows:
Direct costs - costs incurred by the organization does not have a solution in place.
Indirect costs - the amount of time , effort and other resources of the organization that could be lost.
The opportunity cost - the cost resulting from the loss of business if the security solution you propose or service was not in place and how they can affect the reputation and image of the organization .
You can use the following tips and expose them further :
• What regulatory fines for non- compliance, the organization faces ?
• What is the impact of productivity losses and interruption of business?
• What will be the impact of the organization, its brand or reputation that could result in huge financial losses ?
• What are the losses incurred due to poor risk management of the company?
• What we attribute losses to fraud : internal or external ?
• What are the costs spent on people involved in mitigation that would otherwise be reduced by the implementation of the measure against ?
• How data loss , which is a great asset to the company , the impact of our activities and what the actual cost of disaster recovery ? .
• What is the legal consequence of failure because of our inaction?
How does the proposed solution to reduce the cost and increase the value of the company.
Then you have to show how your proposed measure against is to reduce the cost and increase the value of the company. Again, you can expose more in the following areas :
• Show how to increase efficiency and productivity, the implementation against the measure will benefit the organization.
• Quantify how the business productivity increase of reduced downtime .
• Demonstrate how to be proactive could reduce IT Audit and evaluation costs .
• Quantify the cost reduction that would otherwise result from internal audit, third party audits , and technology .
According to a 2011 study by the Ponemon Institute and Tripwire , Inc., found that incidents losses in business and productivity are the most costly consequences of default . On average, the cost of default is 2.65 times the cost of compliance with the 46 organizations that were sampled. With the exception of two cases, the cost of compliance exceeds the cost of compliance. [2] . This means that the investment is the information security to protect information assets and meet regulatory requirements, it is actually less expensive and reduces costs compared to not put measures in place against - .
Get support different business units of the organization
A good budget proposal must have the support of other business units of the organization. For example , I suggest that the IT manager mentioned before, I probably should have discussed with the marketing and explained how a reliable and secure network, it would be easier for them to market with confidence? , Probably would have been no competition for the budget. I do not think the marketing people would like my customers face when possible service reliability issues , offenses and downtime of the system. Therefore, you must ensure that you have the support of all other business units, and explain how the proposed solution could make life easier for them .
Create a relationship with the Administration / Council, even for future budget approvals , the need to publish and provide reports to management on the number of network anomalies , system intrusion detection which recently acquired by example , found in a week, the cycle time of the current program and how long the system has functioned without interruption. Means less down you have done your work time . This management approach will demonstrate that there is , for example, a reduction of indirect costs on the basis of the value of continuity necessary to protect information assets and business insurance policies .
Obtain approval of the draft budget of the information security , should not be much of a challenge , if you were to answer the main question of the added value. The main question to ask is how the proposed improve the bottom line solution ? What the administration / Board requires a guarantee that the solution you propose will produce a real long-term value of the company and is aligned with the overall objectives of the organization.
references :
A . Thomson Reuters Accelus , BUILDING A CASE OF GOVERNMENT BUSINESS , Risk and Compliance 2010.
Two . Ponemon Institute, the actual cost of compliance, 2011.
About the author
Thomas Bbosa , CISSP , is a security consultant information systems partner with BitWork Consult Ltd - ( http://www.bitworkconsult.com ) a consulting leader in IT Security East Africa , located in Kampala, Uganda. It is a professional information security certified systems ( CISSP ) with over 12 years experience in the IT industry . He has been involved in various management and support infrastructure, security management of information systems and the implementation of solutions.
I once had a conversation with an IT manager for a major ? Regional financial institutions who shared their experience in obtaining an approved safety information budget. The IT department Tüßling with the marketing of some of the funds that were made available savings in the annual budget. " You see, if we invest in this marketing campaign, not only the target market segment and helping to exceed the figures , but estimates suggest it could more than double our loan portfolio. " He argued marketing. On the other hand, is the argument was that " By being proactive in acquiring a system more robust intrusion prevention (IPS ), which is the reduction of security incidents . " On the administration decided to allocate additional funds for marketing. Was then admired what they had done wrong , which corresponded to the marketing people ! So how do you ensure you get the approval of the draft budget for information security ?
It is essential for management to assess the consequences of inaction to ensure the company is concerned, if there was a violation not only of the organization do? I FFER reputation and loss of customers due to the ? Reduction of confi dence in the brand, but also a failure could lead to loss of income and even legal action against the organization, situations where good marketing campaigns may fail to redeem their organization.
We try to deal with the management of important point might oppose investment in information security .
A . Solutions of information security tend to be expensive, where concrete results?
The overall objective of any organization is to create / add value for shareholders and stakeholders. Can you quantify the bene ? Outbreaks against the measure would buy ? What are the measures you use to justify the investment in information security ? Your argument against a measure to align with the overall objectives of the organization, how do you justify your action will help the organization achieve its objectives and increase shareholder value holders / Thurs For example, if the organization has focused on customer acquisition and customer retention , how the acquisition of information security solution you offer help achieve this goal?
Two . Not against panic / isolated from a regulatory requirement or query recent audit ?
The vast majority of information security project could be powered by external regulations and compliance requirements , or it could be a reaction to a recent consultation on the external auditors or due to a recent system failure . For example, a financial regulator ? It may require that all? ? Financial institutions to implement an evaluation of the vulnerability of computers. Therefore, the organization is required to meet all costs subject to penalties . Although the answer to these regulatory requirements is necessary, simply by plugging the holes and "? Fight ? Fire" approach is not viable. Implementation of process change alone could result in a working environment in silos ? Conflicting information and terminology, disparate technology and a lack of connection with the business strategy . [ 1 ]
Uncoordinated reactions to specific regulatory requirements , may result in the implementation of solutions that are not aligned with the business strategy of the organization. Therefore, to solve this problem and obtain the approval of funding and management support , the argument and the business case should show how the solutions that we intend to acquire ? Get into the bigger picture and how this aligns with the overall objective to ensure that the assets of the organization.
What are the cost implications and the impact of doing nothing?
You must inform the management of the business base value of the solution you want. You will begin to show / calculate the current cost , consequences and the impact of doing nothing, and if you wish to purchase the cons - is not in place. You can classify them as follows:
Direct costs - costs incurred by the organization does not have a solution in place.
Indirect costs - the amount of time , effort and other resources of the organization that could be lost.
The opportunity cost - the cost resulting from the loss of business if the security solution you propose or service was not in place and how they can affect the reputation and image of the organization .
You can use the following tips and expose them further :
• What regulatory fines for non- compliance, the organization faces ?
• What is the impact of productivity losses and interruption of business?
• What will be the impact of the organization, its brand or reputation that could result in huge financial losses ?
• What are the losses incurred due to poor risk management of the company?
• What we attribute losses to fraud : internal or external ?
• What are the costs spent on people involved in mitigation that would otherwise be reduced by the implementation of the measure against ?
• How data loss , which is a great asset to the company , the impact of our activities and what the actual cost of disaster recovery ? .
• What is the legal consequence of failure because of our inaction?
How does the proposed solution to reduce the cost and increase the value of the company.
Then you have to show how your proposed measure against is to reduce the cost and increase the value of the company. Again, you can expose more in the following areas :
• Show how to increase efficiency and productivity, the implementation against the measure will benefit the organization.
• Quantify how the business productivity increase of reduced downtime .
• Demonstrate how to be proactive could reduce IT Audit and evaluation costs .
• Quantify the cost reduction that would otherwise result from internal audit, third party audits , and technology .
According to a 2011 study by the Ponemon Institute and Tripwire , Inc., found that incidents losses in business and productivity are the most costly consequences of default . On average, the cost of default is 2.65 times the cost of compliance with the 46 organizations that were sampled. With the exception of two cases, the cost of compliance exceeds the cost of compliance. [2] . This means that the investment is the information security to protect information assets and meet regulatory requirements, it is actually less expensive and reduces costs compared to not put measures in place against - .
Get support different business units of the organization
A good budget proposal must have the support of other business units of the organization. For example , I suggest that the IT manager mentioned before, I probably should have discussed with the marketing and explained how a reliable and secure network, it would be easier for them to market with confidence? , Probably would have been no competition for the budget. I do not think the marketing people would like my customers face when possible service reliability issues , offenses and downtime of the system. Therefore, you must ensure that you have the support of all other business units, and explain how the proposed solution could make life easier for them .
Create a relationship with the Administration / Council, even for future budget approvals , the need to publish and provide reports to management on the number of network anomalies , system intrusion detection which recently acquired by example , found in a week, the cycle time of the current program and how long the system has functioned without interruption. Means less down you have done your work time . This management approach will demonstrate that there is , for example, a reduction of indirect costs on the basis of the value of continuity necessary to protect information assets and business insurance policies .
Obtain approval of the draft budget of the information security , should not be much of a challenge , if you were to answer the main question of the added value. The main question to ask is how the proposed improve the bottom line solution ? What the administration / Board requires a guarantee that the solution you propose will produce a real long-term value of the company and is aligned with the overall objectives of the organization.
references :
A . Thomson Reuters Accelus , BUILDING A CASE OF GOVERNMENT BUSINESS , Risk and Compliance 2010.
Two . Ponemon Institute, the actual cost of compliance, 2011.
About the author
Thomas Bbosa , CISSP , is a security consultant information systems partner with BitWork Consult Ltd - ( http://www.bitworkconsult.com ) a consulting leader in IT Security East Africa , located in Kampala, Uganda. It is a professional information security certified systems ( CISSP ) with over 12 years experience in the IT industry . He has been involved in various management and support infrastructure, security management of information systems and the implementation of solutions.
