Choosing her words carefully, Nina Burgess describes her employer, Fortune 500 financial company Comerica Inc., as “very intentional.” By that, she means it’s a company with lots of process and a deliberate decision-making model. If you want to spend the company’s cash, you’d better have your business case down cold. That’s because you’ll have to make your pitch to the Strategic Investment Committee, an august body of top-level leadership that generally meets every four months to scrutinize every major investment proposal. The company has a multi-step process for ensuring that the business case presented for each project is truly accurate.
So how does the information security group get a significant security investment through that gauntlet?
Ideally, it doesn’t. The businesspeople do it.
That’s how it came to pass that Burgess, vice-president for product development in the company’s treasury management business, found herself pitching the Strategic Investment Committee on encryption software. Burgess says her business unit needs to share lots of data with clients old and new. Unfortunately, over the past several years, sharing that data in a secure manner has become so difficult that it hindered Comerica’s ability to sign up new customers. Burgess went to the information security group for help. Top of her list of requirements: simplicity. Some of Comerica’s customers are smaller companies that can’t afford expensive client software and don’t necessarily have large, sophisticated IS groups. Common solutions such as PGP (Pretty Good Privacy encryption software) were too complex for these clients, according to Kenneth Schaeffler, first vice-president for Comerica’s corporate information security services — which meant that Comerica’s own IS manpower would get tied up solving customer support issues.
Schaeffler’s group routinely scours the landscape of emerging infosecurity technologies. (Schaeffler calls this systematic effort the “security architectural domain process,” in case you thought talk about Comerica’s process-heavy style was exaggerated.) When Burgess approached the information security team with a bulleted list of requirements, the group found a possible match in software from a company called Cyber-Ark. Cyber-Ark creates an encrypted electronic “vault” into which sensitive files can be placed; remote clients and customers can log in and access the files via the Internet, instead of using FTP or other standard solutions that may be slower or are not designed with security in mind. (In other industries, Cyber-Ark gets used for storing things like CAD/CAM files or even password lists.) Scott Vowels, vice-president of security architecture and engineering, says the Cyber-Ark approach proved easy for clients to manage — satisfying Burgess’s top requirement — as well as being in sync with Comerica’s overall information security architecture.
So together, Burgess’s and Schaeffler’s groups built the business case. And before they presented it to the Strategic Investment Committee, they put the idea through its paces by garnering feedback from a working team that included the IS department and business- side representatives from across Comerica’s broad geographical reach (the company operates in the United States, plus Canada and Mexico).
Satisfied that the proposal would stand up to scrutiny, Burgess presented the purchase not as an infrastructural investment but as a revenue generator. If signing up new customers becomes easier, it stands to reason that you’ll sign up more customers. In fact, Comerica set out to actively market its increased security, issuing press releases and serving as a customer reference for Cyber-Ark.
Two more key points in the business case: First, because the solution was easy to manage on an administrative level, the business operations side took over that task, rather than the IS group. That makes for a lower overall cost of support, Burgess says, since IT manpower is typically more specialized, and therefore more expensive, than the average operational employee. Second, according to Vowels, other business units, in addition to Burgess’s treasury group, can also benefit from the software, because it’s fairly simple for more Comerica units to drop information into the same client vault. That means more ROI is possible (though not guaranteed) without significantly increasing the original investment.
It goes to show that the best business case is one built, and presented, by the business.