“How does security improve your organization?” The answer to this one question will more than likely vary drastically between the responder’s role in the organization. Even as security practitioners, we may also have varying differences to our answer of this question based on factors influenced by our own experience and education. The struggle for many in the field of information security relates to finding the best vehicle to communicate effectively to management and stakeholders the value security brings to the organization, and how it delivers real return on investment (especially in environments where security is more or less mandated, rather than harnessed as a driver for protecting our critical information assets).
Regardless of how the question is answered, most of us are challenged with providing management with the one key set of metrics that will answer the question: “How much will it cost and what benefits will I receive?” We tend to look towards the most relevant standards and reports, or assess the current threat environment for a comparable type of industry to find out what is an industry average. But we may really never fully deliver the information needed to best represent security on a budget report that executives can understand when it comes to calculating the bottom line.
Organizations have a significant amount of trouble with the “balancing act”, when it comes to justifying a budget for security, and benefits achieved. Primarily due to the fact that management is more familiar with planning and implementing business strategies, and less comfortable with integrating security management practices. The issue really is related to how security is given a role in the organization, advisory rather than as a stakeholder. The question that organizations should consider when developing budgets is how they view security - overhead expense or a measurable return on investment that represents real value on the balance sheet.
I feel security needs to have more visibility and representation within organizations, and this comes through understanding how security should converge with strategic drivers to enable us to capture measurable improvements that tie directly into an end of year budget. Organizations also need to present security as a business function with a business purpose, rather than a technology problem handled by the IT department using an IT budget. The less visible security becomes as a hidden expense, the less viable security seems to be as part of the strategic driver for helping the organization achieve the business goals. The “silver bullet” in my view, comes down to addressing the answer given by the business leaders to the question presented in the beginning of this post. “How does security improve your organization?”
