Selling information security to the business

David Kelleher’s “10 Things that WON’T Happen in 2009″ is an insightful discussion of security issues that, against all efforts to resolve them, seem to visit us with each coming year.  This blog series will explore what we can do to realize a more secure business enviroment in 2009.

In spite of serious security breaches in 2008, Mr. Kelleher states that organizations will continue to view security as an afterthought rather than a critical business consideration.  I agree that a business that does not see the value proposition in security investments is less likely to make such investments.  In order to raise information security as an agenda item to a board of directors, we must make a business case for it.

In “A common sense way to make the business case for software assurance”, several models for the communication of security investments are presented.  Among them is the balanced scorecard.  This model examines the organization through the use of four metric perspectives:

  • Financial
  • Internal Business Processes
  • Learning and Growth
  • Customer

The Financial metric requires accurate and timely information about the fiscal health of the company.  This includes data on assets, liabilities, and risks.  All investments boil down to an analysis of this metric.  Thus, the financial impact of a security solution must be communicated appropriately.

The Business Process metric allows executives to ensure that processes are meeting business requirements.  This metric is a powerful driver for change in business strategy.  Rather than struggle with existing processes and culture, security professionals must strive to design solutions that leverage these elements.  While change is sometime required, this change must be fostered by the leadership in order to be successful.

The Learning and Growth metric examines attitudes towards corporate and self improvement.  Learning extends beyond the immediate enhancement of knowledge.  If inculcated into the business, it can change the way the business competes for the better.  Given the value of intellectual capital, security proposals must highlight the educational enrichment they have to offer.  A workforce that understands how to counter the risks faced by the organization adds greater value to the bottom line.

Lastly, the Customer metric is an indicator of market satisfaction in the products and services offered by the business.  This metric includes the reputation of the organization.  Security professionals must show how their proposals will enhance customer satisfaction.  The must also show how the business can enhance its value proposition via security investments.

If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions.  By speaking the language of business they can get the attention of those in control of the budget.

I welcome discussion from my readers on how to sell security to business people.