With the continued uncertainty lingering in the global economy, I think it is likely that spending on new information security initiatives will continue to be highly scrutinized. This isn’t to say that security initiatives won’t go forward, just that CISOs and Security Directors will probably have to do more to justify the need for their organization to part with precious capital resources needed to fund these projects. As a result, security leaders will have to be very intentional in their approach to security in order to secure funding needed to improve or expand security operations. As I thought about how I might approach this challenge if I were back in the role of CISO, there are three key actions I would recommend to lay a foundation for justifying any new security initiatives.
Take Inventory
Before embarking on any new initiatives, I think that it is very important for organizations to take inventory of the security solutions, processes, and controls that it already possesses. This is important from the perspective of documenting past value delivered, and to address key questions about the existing arsenal of security technologies. This inventory process should answer the following questions:
- Are we fully utilizing all of the capabilities of the solutions we already own?
- What overlaps exist in the capabilities of the solutions we already own?
- From a people and process perspective, who is responsible for the various security processes? Are there overlaps in any of these or opportunities to gain efficiency in operations?
- Are the solutions well integrated and supporting processes automated to their fullest extent or is there a lot of manual effort required to get solutions to work together?
- Do the existing solutions provide you with the visibility needed to reliably determine the ongoing state of security for the organization?
- Can we demonstrate any key wins or past value delivered from prior security spending?
By determining the answer to these questions, you should have a good understanding of opportunities for better or more efficient use of existing capabilities and have identified any obvious gaps that should be addressed.
Assess Risk
Risk assessment and measurement should be part of your organization’s DNA and should be a key driver of information security governance. If you don’t already have a formal risk management process in place, there are a number of formal methodologies available and all have their strengths and weaknesses. My personal opinion is that risk assessment should be as lightweight as possible, tailored to the organization’s business culture, and integrated into Enterprise Risk Management. Risk assessment and measurement should not be overly cumbersome nor require an advanced degree in quantum physics to understand. My experience has been that simpler is better when it comes to risk assessment and measurement. For those that like absolute precision in risk measurement, I would argue that management judgment will always be a factor regardless of mathematical precision, so education and accountability for risk management decision making is far more important than developing and using an overly complex risk scoring system.
As it relates to budget justification, risk assessment and measurement should serve two key purposes: demonstrating value delivered from existing security controls and identifying gaps in security coverage. Your risk measurement process should account for the implementation of security controls in order to demonstrate where existing controls manage risks and to what extent. Where gaps are identified, there are a number of questions that should be asked and answered:
- What is our risk exposure in terms of quantitative and qualitative impact to the business?
- Could the business live with the worst-case scenario playing itself out for a given risk?
- Is there a legal, regulatory, or ethical requirement to address a given risk exposure?
- Can we leverage the capabilities of existing controls or re-engineer business processes to address this risk?
- How much should be spent in capex and opex to bring risk to acceptable levels?
Through this process, CISOs gain an understanding of what risks should be given priority for management and whether they need to introduce new capabilities to address those risks.
Streamline and Automate
While I would argue that information security should be (and in many organizations already is) a business enabler, I would also argue that as managers, CISOs have a fiduciary responsibility to balance the equation of risk management, cost containment, and operational efficiency as part of the organization’s overall responsibility to deliver shareholder value. This leads to the third action I would recommend – looking for opportunities to streamline and automate security operations.
Eliminating redundancy in job functions, operational processes, and security products can provide cost savings that can be used to fund new initiatives. CISOs should also push their teams to review operational processes to look for ways to reduce process complexity and to eliminate or streamline manual processes through workflow and process automation.
Key to this action is examining the security portfolio looking for areas to improve product integrations. There may be places where it makes sense to trade off best-of-breed functionality for improved integration and automation with other parts of the security portfolio. This, of course, is driven through a balanced approach to risk management and operational efficiency.
Conclusion
At the end of the day, most CISOs I talk to recognize that in order to be a business enabler and to have a “seat at the table” for business decisions, they must demonstrate that they understand their business’ needs and drivers. The actions I proposed in this post are one way to demonstrate that understanding and to demonstrate security as a business enabler. By being highly intentional in the approach to defending requests for security spending, we can demonstrate the positive impact that security has on business operations and that we are maximizing the security investments that the company has entrusted us to make and manage.