[ISN] Selling Security to the CFO

From: InfoSec News (isn@private)
Date: Tue Oct 14 2003 - 05:18:06 PDT

  • Next message: InfoSec News: "[ISN] Selling Security to the CFO"

    Forwarded from: William Knowles <wk@private>
    
    http://www.computerworld.com/managementtopics/roi/story/0,10801,85892,00.html
    
    Story by Doug Lewis
    OCTOBER 13, 2003 
    COMPUTERWORLD
    
    "Shut it down, now!" The guy issuing this command was my chief 
    information security officer (CISO). The "it" he ordered shut down was 
    our entire Internet infrastructure. That infrastructure was generating 
    more than $2 million of high-profit revenue every day. After a 
    sleepless night he had finally figured out why we were suffering a 
    prolonged denial-of-service attack. Our firewalls should have been 
    flawlessly deflecting this attack, but they weren't. The "bad guys" 
    were on us like flies on a dead dog. 
    
    His sudden realization was that the firewalls had been reloaded 
    without any of the most critical defensive rules. 
    
    The cause of this attack turned out to be human error, but the event 
    triggered a complete review of our Internet security, followed by a 
    decision to beef up our defenses and outsource much of our security 
    administration and monitoring. 
    
    Back in the good old days, security consisted of a few firewalls and 
    some virus protection. The threats have outgrown those simple 
    defenses, and the cost has outgrown the approval level of the CISO 
    and, sometimes, that of the CIO. Fortune 500 companies are finding 
    themselves with security expenditures that require CEO and even 
    board-level approvals. Each one of these companies comes with a 
    beady-eyed chief financial officer demanding a rock-solid business 
    case with a credible return on investment. 
    
    So you've got three problems. You've got to determine the appropriate 
    level of security for your company. You've got to build a business 
    case that nontechnical senior executives will understand and support. 
    You've got to show that there's a financial return coming out of the 
    investment. And all this is for a system where, if it's performing 
    perfectly, nothing happens, right? 
    
    Take a deep breath. It can be done, and with credibility that even the 
    toughest CFO will buy into. 
    
    Step 1: Determine the current and appropriate levels of security. Get 
    a security assessment done by a company with a solid reputation. Be 
    sure to include vulnerability assessments and penetration tests 
    against your key systems. (Key systems are those that move money, 
    customer data, employee data or products.) Don't do this yourself. You 
    probably don't have the expertise, but even if you did, you wouldn't 
    have the credibility you need to sell the business case. 
    
    Done right, you'll emerge from the assessment with a very good idea of 
    the state of your IT security vs. where you should be and what you'll 
    need to do to get there. Don't be defensive. Share the results with 
    your CEO and business-unit chiefs. They'll become your allies in the 
    fight to get the business case approved. Make it easy for them to 
    understand the problem and the cure. 
    
    The assessment will tell you where your defenses are weak and drill 
    deeply into each area of exposure. You should know for each 
    application what the potential security breach would be, the total 
    economic impact of such a breach and the likelihood of the breach 
    happening. The best source for this type of data is the annual report 
    jointly released by the Computer Security Institute and the FBI. It 
    has credibility that your CFO will respect. 
    
    The last part of the assessment is to project your security costs over 
    the next five years based on the use of your current technology and 
    processes. 
    
    Step 2: Build a security plan to fix the holes identified by the 
    assessment. Cover all the bases. Perimeter firewalls, virus 
    protection, intrusion detection, internal network segmentation, 
    applications, deployment, hiring, outsourcing, training, monitoring 
    and operations all need to be included. Make it a five-year total cost 
    of ownership (TCO) model. Whatever you do, don't underestimate the 
    difficulty and cost of putting these pieces in place. There are 
    countless stories of good people getting fired because they had 
    intrusion-detection devices sitting in the warehouse six months after 
    paying for them. They simply didn't have the staff to install the 
    devices. 
    
    The TCO is going to be much bigger than you expect. Security is 
    expensive. However, if you don't include all the elements and don't 
    make the five-year TCO calculations, the CFO will just make you do it 
    over, and you'll lose points. If you sneak a low-ball number through 
    the approval process, you'd better start polishing your resume. 
    
    Step 3: Build an ROI-based business case for security investments. It 
    can be done, and here's how: The secret is to explain to senior 
    executives what you're trying to do in terms they can understand. They 
    survive by making smart resource (money) allocation decisions. Give 
    them an understandable set of facts, and they'll spit out the right 
    answer. 
    
    Start at 50,000 feet. Mental pictures and diagrams work well with 
    senior execs. I use a security S-curve diagram and a castle-and-moat 
    analogy. 
    
    Explain that you're building a moat around a castle. Until you get the 
    moat completely around the castle, you've spent a lot of money with no 
    improvement in security. That analogy represents the far left side of 
    the S-curve. Until you've established a minimum level of protection, 
    you're spending a lot of money but are still totally vulnerable. 
    
    Once you've got the moat encircling the castle, you can decide how 
    wide and how deep it needs to be. This is the middle of the diagram, 
    which I call the Prudent Zone. It varies by vertical industry. Talcum 
    powder manufacturers need less security than credit card processors. 
    Building the moat a mile wide and only yards deep is a waste of good 
    money. This represents the far right side of the S-curve. You're 
    spending a lot of money and not significantly improving your security. 
    CFOs fire CIOs who waste money these days; that looks really bad on 
    the resume. 
    
    Next, drop down to 20,000 feet. Say what you want to do with the money 
    and why. I use a risk/solution matrix. It takes data from the 
    assessment and lists the risk areas, the economic impact of a security 
    breach in each risk area, the likelihood of a breach happening and the 
    resulting cost to the business of each breach. I match up the elements 
    of my security plan against the risks and check every box where the 
    plan addresses a risk. 
    
    I like to list all the actions required to complete the moat first. 
    Then I list the actions that would bring the company to its Prudent 
    Zone. Next, I list the things that would take the company a bit past 
    the Prudent Zone—but not too far past. 
    
    Now that you've anchored each proposed action and its cost to a 
    financial risk model, you need to tie an ROI to each action. You have 
    four fundamental ROI opportunities for each action: reduce current 
    costs, reduce future costs, reduce the financial risk to the business 
    or increase revenue. CFOs get giddy over this stuff! 
    
    Investment in information security can provide an ROI by reducing your 
    annual loss expectancy (ALE) from a security breach. ALE is a 
    calculation of the actual cost of a security breach multiplied by the 
    probability that such a breach might occur in the coming year. It's 
    much like the actuarial calculations insurance companies use to 
    compute your premiums. 
    
    For example, let's assume you have a Web site that does $2 million of 
    business per day. The security assessment shows the site is vulnerable 
    to a denial-of-service attack, which would result in a three-day 
    outage, and there's a 60% likelihood of a successful attack occurring. 
    The ALE is $2 million per day X three days X 60% = $3.6 million. 
    
    The security improvement costs $500,000 and will reduce the likelihood 
    to 15% and the outage to one day. The improved ALE is $2 million per 
    day X one day X 15% = $300,000. This yields a first-year return of 
    $3.3 million ($3.6 million minus $300,000) from a $500,000 investment. 
    
    Now you've got all the raw ingredients for a successful business case. 
    The next step is to let your IT finance person produce your company's 
    standard ROI financial tables and then wrap the assessment summary, 
    the security plan with its five-year TCO, the risk/solution matrix and 
    the ROI calculations into the standard company format. Remember, you 
    want the business case for security to look exactly like the business 
    case for any other company investment. 
    
    Build a short PowerPoint presentation describing the highlights of 
    your story. Stay high-level. If you get into the speeds and feeds, 
    your audience's eyes will glaze over, and you'll lose credibility as a 
    business person. Shop the PowerPoint pitch to each senior executive 
    individually before your business case goes to the executive 
    committee. Don't skip the CFO. Listen well and incorporate what you 
    hear into the document. Now you're ready to take the business case to 
    the executive committee. 
    
    Follow this formula, and your next problem will be figuring out how to 
    spend the money. 
    
    Lewis, former CIO at InterContinental Hotels Group PLC, is head of The 
    Edge Consulting Group LLC in Atlanta. He can be contacted at 
    edgeconsulting@private 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 14 2003 - 08:12:30 PDT