Enhancing Value Propositions with IT Security

June 23, 2009 by ADMIN

Share |

By Steven Fox, Founder of SecureLexicon

David Kelleher’s “10 Things that WON’T Happen in 2009″ is an insightful discussion of security issues that, against all efforts, seem to visit us with each coming year.

In spite of serious security breaches in 2008, Mr. Kelleher states that organizations will continue to view security as an afterthought rather than a critical business consideration. I agree that a business that does not see the value proposition in security investments is less likely to make such investments.

In order to raise information security as an agenda item to a board of directors, we must make a business case for it.

In “A common sense way to make the business case for software assurance” several models for the communication of security investments are presented. Among them is the balanced scorecard.

This model examines the organization through the use of four metric perspectives:

Financial
Internal Business Processes
Learning and Growth
Customer

The Financial metric requires accurate and timely information about the fiscal health of the company. This includes data on assets, liabilities, and risks. All investments boil down to an analysis of this metric.

Thus, the financial impact of a security solution must be communicated appropriately.

The Business Process metric allows executives to ensure that processes are meeting business requirements. This metric is a powerful driver for change in business strategy.

Rather than struggle with existing processes and culture, security professionals must strive to design solutions that leverage these elements. While change is sometimes required, this change must be fostered by leadership in order to be successful.

The Learning and Growth metric examines attitudes towards corporate and self improvement.

Learning extends beyond the immediate enhancement of knowledge. If inculcated into the business, it can change the way the business competes for the better.

Given the value of intellectual capital, security proposals must highlight the educational enrichment they have to offer. A workforce that understands how to counter the risks faced by the organization adds greater value to the bottom line.

Lastly, the Customer metric is an indicator of market satisfaction in the products and services offered by the business.

This metric includes the reputation of the organization. Security professionals must show how their proposals will enhance customer satisfaction. They must also show how the business can enhance its value proposition via security investments.

If information security professionals discuss security within this framework, they can communicate the business value of a given set of solutions. By speaking the language of business they can get the attention of those in control of the budget.

In “10 Things That WON”T Happen in 2009”, David Kelleher also argues that organizations will adopt a “Do more with less” approach to controlling IT security costs.

While optimizing existing processes and resources can lead to short-term gains, doing so blindly may lead to long-term problems throughout the organization. Security spending strategies must support the core-competencies of the business and the needs of the customers that drive the bottom line.

The shift toward business-enabling security spending was highlighted by Forrester Research.

They noted that small to medium-sized business will shift their focus from protecting against computer security threats to protecting their critical data. Their analysis also noted a movement towards managed security services.

More importantly, the article showed that while businesses have yet to accept security as a business-enabler, they do recognize it as a business issue. Before we can highlight the business case for security, we must understand the organization that will pay for those investments.

In “Considerations and Foundations for Assuring Software Security: Business Case Models for Rational Action”, Don O’Neill notes that “Cost is a function of perceived value.”

An organization, he argues, will gain a competitive advantage from security investments only if its customers value security enough to pay for it. Thus, an organization must communicate its security strategy as a value-add for the customer.

Mr. O’Neill offers basic questions must be brought before the Board:

To what extent does the organization include its global supply chain management operation in its software security assurance operations?
To what extent are the management staff and technical staff trained in their software assurance management responsibilities?
To what extent is the organization legal staff trained in software security assurance?
To what extent are organization executive and senior management trained in their software assurance management responsibilities?
To what extent are the members of the board of directors informed of their software security assurance oversight responsibilities?

How can InfoSec professionals influence their company’s brand image?

They must first understand how security is perceived in relation to the business plan. They must then begin to market strategic IT security investments that enhance its competitive edge.

Steven is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.