When talking with customers about seeking approval for their investments in security I think back to conversations I have with my children when they ask if they can have something. The conversation goes a little something like this:
Andy: Daddy can I have the new video game?
Dad: Why do you want it, you have 50 other games sitting on the floor of your room.
Andy: Because I need to have it!!!
Dad: But why?
Andy: Because!!! (repeat “But why” loop 4 times)
Dad: Will this game bring you joy and happiness?
Dad: Well since you have no money if you want this game you need to clean your room, keep it clean and mow the lawn for the next month, deal?
Andy: A whole month?
Dad: Yes a whole month.
Andy: Ok then.
Now imagine this same conversation with the CFO, CIO, CXX when asking for a new security tool.
CISO: Mr. Smith (CFO) we really need a SIM and here is the price, please sign the PO?
Mr. Smith: Why do we need this?
CISO: Security, to keep the environment secure.
Mr. Smith: But we spend significant budget last year and the graph of your budget is a hockey stick why do we need this?
This is the same conversation I had with my son but taking place at the executive level, this no longer is acceptable. When I speak with clients about their issues and our solutions the question I ask is what is the business issue they are trying to solve or what is the business purpose of their initiative.
Image that same conversation with the CFO if when you were asking for the PO for the great new tool you came in with a business case for the investment. The business case would clearly state the problem, the dollar value of the problem (at least an estimate you can defend), the solution and the cost benefit of implementing.
The CFO or any other executive doesn’t care about the shiny new tool and as Business security leaders we need to care about security but first about the business. Without the business we don’t have anything to protect, our jobs are to reduce the risk to the company and make it as profitable as possible. We need to encourage our teams to think and help deliver the business case when they bring proposals to us.
This is the first part in a series I am writing about the business of security in the next few parts I will be discussing business case creation and how to show value to the business for your security initiatives.Tags: IT risk management, security, security management