Let’s face it.  You know what you have to do.  You have a 30-day plan.  A 90-day plan.  A one-year plan.  A five-year plan.  You have spreadsheets, budgets, and PowerPoints.

What you DON’T have is management commitment, budget, resources or even the ear of the right people to get done what you need to get done.  Sure, after every CNN report of a hack or an attack, you get a call asking “are we ready for THAT?” and you shrug your shoulders and reply “of course…” whether it’s true or not.

So how do you change the cycle of beg, borrow and steal for resources?  How do you make information security on the top of the list for priorities?

The short answer is, you don’t if you think of information security as a separate line item in the budget.  That’s because information security is a cost.  It generates no revenue.

It’s expensive, disruptive, and keeps people from doing real things that generate real money.  It’s what makes people not be able to use their brand new iPhone 6 Plus, requires them to carry silly dongles and cards, call the help desk a dozen times for password resets, and keeps them from getting access to the files they need at three o’clock in the morning.  It’s the office that says we can’t deploy the latest mobile platform, we won’t move to a cloud based storage, and we have to keep all the files on a server in San Francisco, even though it’s half the price in Bangalore.

The CISO is the one that insists on buying the routers from a specific (documented) supplier, when New Egg has them cheaper, or who tells the boss she can’t take her laptop with her on her trip to Beijing.   And to make matters worse, if the CISO does his or her job properly, after all the money, all the hassle, and all the inconvenience, NOTHING happens.   And if you spend twice as much, more nothing happens.

Add to that the fact that we are really bad at security metrics that matter to the bottom line.  Sure, we can measure the mean time to patch vulnerability, or the average time to lock a stolen laptop, but how does that impact the bottom line.  This is a bottom line business after all.  In the healthcare arena, did the CISO improve profit margins, lower cost, or enhance patient care and treatment, or did they just help comply with regulations (more on that in a  minute).

So What’s a CISO to Do?

First, new metrics.  We look at a CISO’s job as risk reduction and loss prevention.  So we measure effectiveness by reduced costs of audits, reduced risk of compliance costs (fines, etc.), and reduced risk of attacks.

If we assume the average cost of an attack to be $3.5 million, and we calculate the number of impacted records in our organization, and the likelihood of a breach, we get the likely cost of a breach in our organization.  Then we have to show that the actions of the CISO reduced that likelihood by a certain amount, and voilà!  We have a metric.  So a 5% chance of a breach costing $1 million is reduced to a 4% chance by spending $250,000 in security.

But these metrics are not perfect.  In fact, for the most part, they are just made up.  How do we know the real likelihood that WE will be successfully attacked?  Sure, we use business intelligence and threat assessment services, but those are qualitative assessments, not quantitative.

A CISO can no more say that a specific spend will result in a specific monetary outcome than an office manager can say that buying Starbucks coffee in the break room will increase productivity by 4%, resulting in a profit of a specific dollar amount.

That’s because we are measuring the wrong thing in the wrong way.  Not that it isn’t useful, but it’s not WHY we really have information security.  We don’t have information security to reduce risk.  Or to increase compliance.  Or even to prevent losses or hacks.

We have information security to enhance productivity, increase mobility, enable new products and services, and to do business.  Plain and simple.  We have IT security for the same reasons we have IT.  And we need to measure the success of IT security by the same metrics we measure the feasibility of new IT.

A hospital wants its doctors to be able to work remotely, from home, from vacation, while commuting.  To view patient records, and even contact the patient through an app.  To use their own mobile devices (cell phone, tablet) and to write and fill prescriptions.

It reduces costs, increases efficiency, makes patient and doctor happier, provides better documentation of what happened, and provide better reliability.  It also feeds directly into billing and compliance systems so you get paid faster.  And provides better patient outcomes and tracking for other purposes.

It also can be used to distinguish your practice from those down the block, attract and retain new patients!  So you can measure the impact of all or most of these things.  The traditional approach to IT security is to then SUBTRACT the cost of security and compliance from the profits that can be generated from the new app.  WRONG.

Security is an ENABLING technology.  IF we can do remote diagnosis and treatment AND do so securely and in compliance, we can MAKE a specific amount of money.  Security makes money – it doesn’t just prevent loss.

Too often we peg the cost of security to the cost of the IT infrastructure.  “We spend 8% of the IT budget on security.” Or 20%.  Or 2%.  Doesn’t matter.  But that’s the wrong way of looking at security.  We should rather ask the questions, “what would happen to the company if the data contained on this computer were no longer available. If it were no longer reliable.  If it were no longer private.”

What would be the impact on the business if that happened?  What would happen to our reputation?  What would the cost (direct and indirect) be if that happened?  Not all computers are the same in that regard.  Not all systems are.  Not all threats are.  Peg spending to the business impact, not the IT budget.

Find the necessary spend.

Some IT security spending is non-discretionary.   You may have a regulatory requirement to do something, a contractual requirement, or some other legal obligation.  This is particularly true where you have data belonging to a third party, or where you have collected data from a third party.

Or where you have a contractual relationship obligating you to keep something confidential.   In this case, enlist the support of the General Counsel in your budget process.  If you MUST do something, well, you MUST do it.  Plain and Simple.

CEO’s Time is Short

Everyone thinks that their priorities are important.  And IT security is seen as a zero sum.  “If I give IT Security xx dollars, I won’t have money for marketing, or product development, or sales, or real estate, or other IT projects, or whatever.”  It’s not.  Embed the security costs INTO these costs.  You want to market though a website or social media?  Great.  The cost of doing so securely and without opening customers up to spam and DDoS is x and such.  It’s not the IT Security budget, it’s the marketing budget.  This is not a gimmick.  It happens to be true.

Pay me Now or Pay Me Later

The cost of responding to an incident is anywhere from 10 to 100 times that of preventing it.  (See, I cam make up statistics as well as you can make up a budget!)  But certain costs can’t be recouped.  Like brand and reputation.  That’s worth protecting, right?  So develop a cost of NOT doing what you are asking for.  Let the CEO decide HOW she wants to pay you.


Tell the CEO what OTHERS are doing, and why.  And the impact of what they are doing.  Nobody wants to be left behind.


Even if you look at security as risk reduction, don’t look at it as something you are doing alone.  Find out who handles the insurance policies within your organization, and see what you are doing with respect to general liability and cyber risk insurance.  If you are doing something to reduce YOUR risks, you are doing something to reduce your carrier’s risk as well.  They should be able to quantify the benefit to them (rate reduction, perhaps) and justify at least part of your budget.


Yea, FUD works.  Sometimes.  CEO’s watch the news.  They know about Home Depot, Target and SONY.  Explain to them why your company’s name ISN’T on that list.  At least not yet.  But not too much FUD.  And not too often.  CEO’s aren’t stupid.

So these are just a few tips.  If all else fails, try a temper tantrum.  Who knows, it works for a three year old.

Leave a Reply