how to cost justify information security spendingFor the 25 years I’ve been covering IT, security vendors and their customers have struggled with selling information security to the chief executive and chief financial officers who pay the bills.

The problem is that spending on security is like spending on insurance. You can spend too little for years and everything seems fine. But when things go wrong, they can go wrong very quickly. Selling security requires focusing on specific business threats, not generic threats.

For Lack of an Actuarial Table…

In selling security as “insurance” the risk is hard to quantify. Does the customer have a one in ten, one in ten thousand, or one in ten million chance of being hit by a distributed denial of service or SQL injection attack? How much damage would these, or thousands of other possible attacks, do to their business? How much is it worth to prevent them?

With auto, home, or life insurance buyers and sellers have the guidance of actuarial tables based on years of experience with well-defined and mostly stable risks. In computer security, we have neither. The threats are always changing, both in terms of the specific types of attacks and in the delivery channels for those threats.

Consider, for example, the recent hack of the Twitter account maintained by The Associated Press. The hacker posted a fictitious tweet about an attack on the White House. Hackers loyal to  Syrian President Bashar al-Assad claimed responsibility. But the Feds are reportedly checking stock trades made before the report was rebutted, during which time the Dow dropped 150 points.

But how could the AP have known of such a potential threat or that it needed to spend on security to prevent it? After all, it’s only been on Twitter for several years and maybe hadn’t thought through the implications of a Twitter hack.

Focus on the Business, Not the Attack

That entire line of thinking – preventing specific attacks – is the exactly wrong way to sell or buy security. That was I heard from several folks at a recent security discussion hosted by managed security services provider StillSecure.

Instead, they said, make security spending decisions based on how the business uses information and the potential threats from misuse of that information.

In the case of the AP, its business depends on its reputation for providing valuable information, pointed out David Kidd, Director of Quality Assurance and Compliance at IT infrastructure and cloud provider Peak 10, Inc.  It should have evaluated security threats based on the risk they posed to any information bearing the AP “brand,” however and wherever it was distributed. That way, he said, it’s more likely the news agency would have protected its Twitter account more completely earlier. (Twitter recently announced two-factor authentication if you’re worried about your own account.)

Think Like a Hacker

A related tactic is to war-game the most destructive ways a hacker could misuse your information assets, and focus on plugging those vulnerabilities. David Campbell, co-founder and CEO of safeinstance (a stealth startup in the cloud security space) described how he showed a client’s CFO how he hacked their financial systems and was one click away from issuing an unauthorized stock dividend. Showing the CFO that screen shot had a lot more impact than droning on about the dangers of leaving the wrong server ports open or leaving their passwords on a sticky note on their desk.

It’s also easier for a CEO or CFO to quantify the damage from a specific business-specific scenario (such as hacking THEIR financial system or THEIR Twitter account) than on generic attacks that could hit any organization at any time.

Am I the only one who hasn’t realized this is the way to sell customers on the security they need, or is still an evergreen challenge? And does anyone else have great tips for showing the business value of security?

 Drop me a line if you need anything from white papers to case studies, blogs or email newsletters explaining the business value of any IT product or service.

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email or call me at 508 725-7258.