Why Security Is a Strategic Investment
The struggle for security budget highlights the disconnect between security teams and top management. Security has long been viewed as an unavoidable cost center. Security teams communicating with executives highlighted how many vulnerabilities were remediated and how many patches were installed, but have often failed to convince top management of the need for (and value of) security.
In fact, security is a strategic investment that reduces corporate risk, helping the organization reach its business value goals. The steps below will help IT security professionals build a strong argument for increased security budgets.
Step 1: Look at the Business First
Instead of starting with threats or the systems in place, look first at the business: What are the organization’s most important strategic initiatives? What are the critical supporting processes that need protection from threats? Which processes generate value? Consider consulting with business peers to better understand the financial aspects of given initiatives.
Step 2: Quantify the Risk to Your Organization
Next, determine which resources would be affected by security threats. How much of the business would be impacted by an interruption? Would 10 or 25 percent of revenue be threatened? More?
What if an asset were unavailable for an hour, a day or a week? What secondary impacts might accrue from that? Would there be a regulatory impact or potential fines? Damage to the brand? An impact on the stock price?
For each of the most important initiatives, processes and assets, could security have an impact on their success? Look at what threats exist — threat intelligence feeds can help here — and determine how likely they are to pose real risk to the confidentiality, integrity or availability of critical systems. It doesn’t hurt to think like a hacker: which assets (intellectual property, customer base) or processes (sales, finance, human resources) would the hacker target, and why (monetization, disruptions, etc.)?
Step 3: Quantify the Value of Security
To assess the risk for each important initiative or process, simply multiply the total impact of the vulnerability by the probability of a threat exploiting that vulnerability. A risk matrix can help to prioritize risks by showing potential damage compared to the probability of the risk occurring.
For assets or processes where the both the risk and the probability are high, identify the controls in place to reduce the likelihood or mitigate the risk. How good are they? What is the current mean time to detect a threat? Calculate in dollars the value of a speedy response that reduces the business impact of data exfiltration or other security breaches. Look to public data, such as the VERIS (Vocabulary for Event Recording and Incident Sharing) framework, to build a baseline of metrics, such as:
- Time from compromise to discovery (dwell time)
- Time from initial alarm to triage
- Time to close an incident