So, how do you sell security?

Attendees at the recent Infosecurity Canada conference in Toronto got to hear a wide variety of opinions on how IT managers should go about selling security to the board. Other than the fact that security is still frequently a corporate afterthought, there was no consensus.

In a nutshell, buying security is like buying a cloud. You know it is there but until it rains (or you are attacked) you have no proof.

“We don’t know whether the amount we are spending on security actually reduces the risk,” said analyst Pete Lindstrom.

Risk reduction is assumed to be a given when IT security is beefed up, but in reality it is difficult to prove. Making a system more secure definitely makes it more difficult to hack. But it is almost impossible to calculate whether risk is actually reduced since, for example, better protected systems may actually attract more talented hackers. After all, talented thieves rarely knock over convenience stores.

Lindstrom, research director for Spire Security LLC, a Malvern, Penn.-based security focused analyst firm, gave a talk on the art of calculating return on security investment (ROSI). But even he admitted it is all “murky stuff.”

For example, an equation commonly used to calculate potential loss is called annual loss expectancy (ALE): where the ALE is equal to the probability of an occurrence times the value of the asset (ALE=PxA). If there is a 1 in 10,000 probability of a server worth a million dollars being corrupted, the ALE is $100. So, at the very least, a company should spend $100 a year protecting it.

“Those are great letters,” Lindstrom said. “But what the hell are the numbers?”

Jim Robbins agrees. “I think [using metrics] is an overrated mechanism,” said Robbins, president of Ottawa-based EWA-Canada Ltd. during a subsequent panel discussion.

Therein lies security’s biggest problem – subjectivity.

The actual probability of an occurrence is difficult to calculate. There are statistics available but their accuracy is open for debate. It is questionable exactly what percentage of companies answer surveys truthfully. It also depends on who is asked. CIOs may be blissfully unaware of many events, while most CEOs are unaware of all but the worst.

The cost of an event is also difficult to calculate given the level of interdependency between systems. Slow severs and squeezed bandwidth due to SQL Slammer will slow down employee access to the Internet, but at what cost?

Lindstrom likes to narrow his focus down to labour costs since they are much easier to calculate. If a blended threat (such as Code Red) requires IT workers drop what they are doing, there is an associated cost. Just calculating the hours spent fixing a problem is often enough to get senior management’s attention.

Another way to sell security is to focus on the cost of a specific failure.

Canada and the U.S. have stringent privacy laws (PIPEDA and HIPAA respectively), which allow for fines to be imposed on companies that divulge certain personal information. If corporate information is not secure, a company could be held liable.

“As soon as you have the lawyers and auditors involved, you have boardroom attention,” Robbins said.

Though he doesn’t use it often, fear can also be a great motivator, said Robert Garigue. “I don’t mind scaring people, it is really easy to do.” But he added a caveat: “You will (only) get money once.” Garigue, chief information security officer with the Bank of Montreal Financial Group in Toronto, said a common next step is to demand that security spending be a portion of the IT budget. This works for a while, he said, but it too has a finite life.

The key for long-term security success is to show value, not necessarily risk reduction or ROI.

“You have to really show improvement,” Garigue said. This could be anything from less downtime due to cyber attacks to an increase in security certified personnel.

Finally, those responsible for IT security should not report to the CIO. “It is the fox in the hen house,” said Gene McLean, the Edmonton-based chief security officer with Telus Communications Inc. He said when budgets are tight, “the first thing to go is security.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Previous article
Next article

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now