How do you create a Business Case for Security?

275 pts.
Tags:
Information security
Risk management
In a nutshell, which would be a good way of putting together a business case for a solution that mitigates security risks, when the "income" generated by the solution is not easy to define?



Software/Hardware used:
Not applicable.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Check out some of the tips in this <a href=”http://lmgtfy.com/?q=rosi+security”>Google search on ROSI security</a> – ROSI: return on security investment.

Making the pitch for a security product is doomed to fail. Instead, make the pitch based on:

- availability
Every hour our web site is not available means we miss such-and-such revenue. This investment increases availability some percent. This investment actually saves us money.
Or something along those lines.

- confidentiality
Lost unencrypted “data at rest” examples are always in the news. The figures for penalties are easy to find.

- integrity
You could be making the pitch for a product that keeps people from accidentally or intentionally corrupting data. Management can relate to keeping accurate records.

If you can make the pitch:
- based on availability, confidentiality or integrity (or some combination thereof) and
- include supportable figures and
- make the pitch without using the word “security”
you’ll stand a good chance of being heard. If you can’t, then you probably shouldn’t.

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • JennyMack
    Hi DiegoDH, Can you please provide more information? What security are you referring to? Organization-wide? Security on a specific program or transaction type? Please be more specific. Thanks, Jenny Community Manager
    4,280 pointsBadges:
    report
  • Kevin Beaver
    Most things security-related are not going to generate income other than the fact it can be a competitive differentiator depending on the line of business you're in. Regardless I have found the following to be effective: Making the business case for information security Ten ways to sell security to management
    17,140 pointsBadges:
    report
  • Denny Cherry
    Security will pretty much never generate revenue for a company. It's simply a cost center. The value to the business comes as risk mitigation. If you have no security the risk of a break in and loss of data is high. As you purchase your security systems the risk of data loss is reduced.
    66,130 pointsBadges:
    report
  • DiegoDH
    Hi Jenny, The question was deliberately made at a high, generic level, as what I'm looking for is the underlying methodology for putting togetner a Business Case to "sell" security to the Business without using only the "fear" factor (which not always works!). Regards, Diego.
    275 pointsBadges:
    report
  • DiegoDH
    Kevin, I mostly agree with your comment. Thanks for the links, and even more if the info in them was helpful to you. Cheers, Diego.
    275 pointsBadges:
    report
  • DiegoDH
    Hi MrDenny, Thanks for your comment. I both agree and disagree, as if Security can be shown as a buisness enabler and not only a risk mitigaiton strategy, it might be then considered as generating (some) revenue. What I (and most security practitioners) don't find easy is "how" to show this. I've recently been in a panel discussion of this topic in a professional association I belong to, and there were some ideas thrown at the table but it's not very clear how to change the business' view of "security as a cost". Because if it is a cost... then it should be reduced! Cheers, Diego.
    275 pointsBadges:
    report
  • Kevin Beaver
    Management not seeing the value of security does provide one great benefit for those of us in the field: job security!
    17,140 pointsBadges:
    report
  • DiegoDH
    Hmmm... job security. If you mean "stability", not necessarily true, believe me! 8( If you mean "a" job "in" security, my answer is: maybe. ;) Cheers!
    275 pointsBadges:
    report
  • DiegoDH
    Thanks Labnuke99! That "pitch" seems to be a good path to follow.
    275 pointsBadges:
    report
  • Kevin Beaver
    If you don't have management on your side through credibility, respect, and trust no pitch for something that may happen is going help. You've got to get them on your side and keep them on your side by understanding the business, what they're up against, and slowly educate them - in their own words - about what's going on in the world and inside your very organization.
    17,140 pointsBadges:
    report
  • DiegoDH
    Again agree, Kevin. Management support is necessary.
    275 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following