Ways to Justify Security Programs: 13 Cs
My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.
I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.
I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.
- Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.
- Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.
- Competitiveness. Please see my previous blog post.
- Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.
- Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.
- Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.
- Constituents. I use this term to apply to internal parties. Large companies often provide services to other business units.
- Controllership. Is your organization well-governed? Can it account for the state of its systems for auditors and so forth?
- Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or handling them remotely by moving data, not people?
- Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses.
- Confidence. Confidence applies to all parties involved. Can you trust your data?
- Counting. This is a plug for metrics.
- [Securities and Exchange] Commission. This is a play on the 10k- forms shareholders receive in the mail. Please see the linked post for more details.
Comments
If I can convince that the brown-matter storm will be big enough, they might spend some on security.
These are good points, but I've seen them fail to work other than in the KEEPING realm.
I remember one company, where after I cleaned up a breach and recommended a myriad of changes (again), the executives wiped their brow and said, "Boy, were we lucky they didn't get the credit cards."
And nothing changed.