Register

Forgot Password

Site FAQ

Home > IT Answers > Security > How do you create a Business Case for Securit...

DiegoDH

275 pts.

How do you create a Business Case for Security?

Information security, Risk management

In a nutshell, which would be a good way of putting together a business case for a solution that mitigates security risks, when the "income" generated by the solution is not easy to define?

Software/Hardware used:
Not applicable.

ASKED: Aug 14 2009 1:22 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

Rklanke

750 pts.

RATE THIS ANSWER

0
Click to Vote:

Check out some of the tips in this Google search on ROSI security - ROSI: return on security investment.

---

Making the pitch for a security product is doomed to fail. Instead, make the pitch based on:

- availability
Every hour our web site is not available means we miss such-and-such revenue. This investment increases availability some percent. This investment actually saves us money.
Or something along those lines.

- confidentiality
Lost unencrypted "data at rest" examples are always in the news. The figures for penalties are easy to find.

- integrity
You could be making the pitch for a product that keeps people from accidentally or intentionally corrupting data. Management can relate to keeping accurate records.

If you can make the pitch:
- based on availability, confidentiality or integrity (or some combination thereof) and
- include supportable figures and
- make the pitch without using the word "security"
you'll stand a good chance of being heard. If you can't, then you probably shouldn't.

Last Answered: Aug 18 2009 9:48 PM GMT by Rklanke

750 pts.

Latest Contributors: Labnuke99

26290 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

JennyMack 3330 pts. | Aug 14 2009 1:36PM GMT

Hi DiegoDH,

Can you please provide more information? What security are you referring to? Organization-wide? Security on a specific program or transaction type? Please be more specific.

Thanks,
Jenny
Community Manager

KevinBeaver 7610 pts. | Aug 14 2009 4:02PM GMT

Most things security-related are not going to generate income other than the fact it can be a competitive differentiator depending on the line of business you’re in. Regardless I have found the following to be effective:

Making the business case for information security

Ten ways to sell security to management

Mrdenny 46810 pts. | Aug 14 2009 7:52PM GMT

Security will pretty much never generate revenue for a company. It’s simply a cost center. The value to the business comes as risk mitigation. If you have no security the risk of a break in and loss of data is high. As you purchase your security systems the risk of data loss is reduced.

DiegoDH 275 pts. | Aug 16 2009 8:41AM GMT

Hi Jenny,

The question was deliberately made at a high, generic level, as what I’m looking for is the underlying methodology for putting togetner a Business Case to “sell” security to the Business without using only the “fear” factor (which not always works!).

Regards,
Diego.

DiegoDH 275 pts. | Aug 16 2009 8:44AM GMT

Kevin, I mostly agree with your comment. Thanks for the links, and even more if the info in them was helpful to you.

Cheers,
Diego.

DiegoDH 275 pts. | Aug 16 2009 8:49AM GMT

Hi MrDenny,

Thanks for your comment. I both agree and disagree, as if Security can be shown as a buisness enabler and not only a risk mitigaiton strategy, it might be then considered as generating (some) revenue. What I (and most security practitioners) don’t find easy is “how” to show this.

I’ve recently been in a panel discussion of this topic in a professional association I belong to, and there were some ideas thrown at the table but it’s not very clear how to change the business’ view of “security as a cost”. Because if it is a cost… then it should be reduced!

Cheers,
Diego.

KevinBeaver 7610 pts. | Aug 17 2009 12:19PM GMT

Management not seeing the value of security does provide one great benefit for those of us in the field: job security!

DiegoDH 275 pts. | Aug 17 2009 2:49PM GMT

Hmmm… job security. If you mean “stability”, not necessarily true, believe me! 8(

If you mean “a” job “in” security, my answer is: maybe.

Cheers!

DiegoDH 275 pts. | Aug 19 2009 2:47PM GMT

Thanks Labnuke99! That “pitch” seems to be a good path to follow.

KevinBeaver 7610 pts. | Aug 20 2009 11:35AM GMT

If you don’t have management on your side through credibility, respect, and trust no pitch for something that may happen is going help. You’ve got to get them on your side and keep them on your side by understanding the business, what they’re up against, and slowly educate them - in their own words - about what’s going on in the world and inside your very organization.

DiegoDH 275 pts. | Aug 29 2009 3:35AM GMT

Again agree, Kevin. Management support is necessary.

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map