The competition for internal financing in all organizations is as fierce as ever. Departments go head-to-head to get the biggest chunk of the annual budget and there always seems to be a dominant winner for those finite funds, the marketing department. Why shouldn’t they win year after year? It is their job to persuade people to spend their money on your company’s products and services. However, the other departments, namely the information security department, may see this as unfair and even a waste of internal resources. This article examines ways CISOs, CSOs, or any other information security officers can compete with the marketing department and provides insight on how to present your case to upper management to secure the funds you need to manage an effective and efficient ISMS.
In my conversations with information security managers, the comment I hear most is “Management was all for establishing an ISMS, now the wind is out of the sail and there is no budget.” In my opinion this means that the case for putting funds to maintaining an ISMS was not sold to upper management. Budgets are being cut for the information security department while the marketing department secures a multi-million dollar budget with the goal of simply generating interest in the company (what is the value to stakeholders of interest in a company anyway?).
While the marketing department looks to get views on YouTube for a video they hope goes viral, the information security department is working to protect stakeholders’ value (protection of stakeholders’ value seems a lot more tangible). Yet, there is a struggle to get the necessary resources needed for an effective and efficient ISMS. Again, this comes down to the internal sales process. A convincing case must be made to get the finite funds allocated to the information security department. Let’s take a look at how the marketing department makes its case for funding.
STEP 1: ESTABLISH A NEED
The first step of making the internal sale that marketing department takes, is to establish the need for funding. In most cases this comes down to one simple thing, leads. The marketing department argues, “Without leads, we won’t make sales, without sales, well without sales there is no reason for us to be here.” Ok, this makes sense, however, without good products and service and an organization to support the delivery of those products and services, thousands of leads will never turn into sales. Whether this argument is a valid one or not is a moot point, what matters is that it works for the marketing department a majority of the time to get the funding it requires.
So how do you establish a need for information security? This is not a challenge, but it may take some wordsmithing. My suggestion is that you speak in broad terms when describing what information security is and does for the organization. Often times, those who are living and breathing information security in everything they do will get bogged down with details when explaining it. However, this is not what management wants to hear. They want the “big picture” or “the bird’s eye view.” In my experience a proven way to describe the necessity for an ISMS is to say:
“Information Security is an essential component to the success of our organization. An information security management system will provide us with a powerful link between executive management, the board of directors/governing body (substitute with whoever is ultimately responsible for the organization’s performance) and the information security team. This will ensure we are providing the decision makers relevant information, allowing you to take a risk-based approach, and make informed decisions that ensure we meet our overall business objective. We need to continue to develop and improve our ISMS so you and the rest of the management team can make the best decision to protect our stakeholders”
The need has now been established, upper management needs the right information to make the best decision to protect shareholders. This need is tangible and should speak to one of the key business objectives in most organizations.
STEP 2: DISCUSS RETURN ON INVESTMENT
Return on Investment, ROI. One of the most commonly used acronyms in business. Decisions are made based on ROI on a daily basis (an informed decision). The marketing department uses ROI for everything it does (or at least it should). They track the ROI on advertisements, campaigns, post on social networks, you name it. However, in making their case for the finite funds, they project ROI. But what is a projected ROI? At the end of the day, it is an educated guess on how much money those finite funds will bring in. For some reason, when a marketing director says “the ROI on this campaign will be over 200%,” there are not a lot of questions on where that figure comes from. However, where it comes from is a mix of demographics, historical performance, comparison statistics, and some (as in a lot of) assumptions.
If the marketing department can be successful using ROI to make its case, so can the information security department and here is how to do it.
The best way to make your case is to use a ‘worst case’ scenario, outlining a critical event that could have been prevented with a strong ISMS strategy. However, it should not be something that is technical in nature. A good example is to utilize corporate reputation. Corporate reputation is something all members of upper management can relate with. Present your case in the ROI of an incident occurring that damages corporate reputation. Think of the associated cost with repairing that damage (you might want to ask the marketing department for a budget on a few press releases, campaigns, and other ways to get the word out that your organization is sorry that the personal information and credit card numbers were stolen by hackers). Use this number and the budget you are asking for to do a quick ROI calculation. Most likely the cost to repair the damage is much higher and you can make your case by stating one incident. It wouldn’t hurt to throw in a couple dozen incidents that are prevented or mitigated while you are at it by your stellar ISMS.
The point of Step 2 is talk in terms of cost. Cost if you do it (your budget) and cost if you don’t do it. Make upper management think, am I willing to take the risk of not doing this? It is not enough to say, “If we don’t get the budget for this project, we may not be able to protect our customers’ information.” Make your point by saying what will happen if you do not protect your customers’ information.
STEP 3: SHOW THE DELIVERABLES
The marketing department does an excellent job of showing management what they will get for their money. Whether it is storyboards for advertisements, product and promotion samples, or various mock ups of the copy that will be going out, they show management what they will get. I admit, this is a challenge in the information security world, but it is possible.
The key deliverables of an ISMS should be strategic alignment with overall business objectives, value delivery (through the protection of stakeholders and by making risk-based decisions), and accountability. Why not steal a play from the marketing department’s playbook and visually explain this to upper management. Show them the links between your effective and efficient ISMS and how it is tied to the overall objectives of the company, create a graph showing the reduction of incidents and how much those reductions have saved the company, and create an accountability chart that exhibits how risks are being addressed and by whom.
The goal of an ISMS is to answer the Who, What, Why, When, Where and How questions. Present your case to management using visuals that are easily digested in a meeting, rather than tell them while hoping they are listening and understanding what you are saying. Time is precious in a business environment (as are finite funds), so make the most of yours and theirs by clearly depicting the answers to the 6 questions, and close the pitch with a believable financial winfall projection.
Your comments are always welcome. You can send us an email,firstname.lastname@example.org, for more information.