Published: 08 November 11, 15:53 GMT
Security may be a hot-button issue for business executives, but in an
environment of ongoing economic uncertainty, support for security
initiatives isn't always easy to come by.
Whatever's standing in the way - be it politics or personal agendas,
inflexible budgets or outright adversaries - security professionals
need to work hard to loosen the purse strings and get funding for the
programmes they believe in.
"There's no carte blanche for security," says Roland Cloutier, CSO at
ADP, a $10 billion business solutions outsourcer.
"It's an ongoing chore to prioritise our spend, align with business
priorities and promote our requirements so we can get that extra
dollar to protect the company," he says.
Dave Cullinane, CISO at online auction giant eBay, agrees. "Where
we're spending, what is the risk and what is the appropriate
expenditure - all these things put together are making it more
challenging to get things approved," he says.
We asked several CSOs to tell us their best getting-it-done tips, and
we distilled them into nine tactics for getting your security
initiatives moving despite numerous obstacles.
1. Do the maths
With funding tighter than ever, it's crucial to present hard numbers
on why your project or initiative is important. "If it's just
marginally improving the level of security, that's probably not
enough," says Richard Gunthner, CSO at Mastercard Worldwide. "There
needs to be a return on investment that makes sense."
With so many potential exposures - malware, system threats, new
regulations - Cullinane says a big part of his job is calculating a
risk picture and quantifying it to show the residual risk and the ROI
of your intended fix. "If I can demonstrate that a $6 million
investment will result in a $300 million risk reduction, the CFO gets
that," Cullinane says. "But you have to prove the initiative will
result in that reduction, and quantification is the hard part."
Then, follow up with the results. "It's showing them, here's where we
started, and here's where we came to in a short period of time,"
Cullinane says. Once you build credibility, the money will come more
easily. "I'm giving the CFO back $5 for every dollar he gives me, so
he's willing to give me more - one of the nice things about security
is you can demonstrate that," Cullinane says.
One example is a recent investment Cullinane's organisation made in
advanced malware-detection tools. When Cullinane asked his
investigative team to conduct a pilot test to detect any major issues
with employee laptops used to work from home, "we found we had a much
more significant malware problem than we thought we had, especially
targeting people in HR and finance," he says.
This could have resulted in leaked information on organisational
changes or planned acquisitions, but by making a small investment in a
malware product, the exposure could be drastically reduced, he says.
Cullinane also recently made a large investment in intelligence
information to focus on major sources of fraud. "It was essential in
arresting individual fraudsters and kept our fraud rate down 100
percent more than the investments we made," he says.
Ideally, you should show the investment will close a hole you have in
your organisation that has resulted in a security lapse tied to a
financial loss. If you can't pin it to an internal event, show what
happened in another company, preferably in the same industry.
"It shows it's not pie-in-the-sky but can and has happened, and
therefore there's a risk that needs to be remedied," Gunthner says.
"That makes it much easier to sell."
Present your request for funding in what Cloutier calls "a
risk-informed manner."
"Everything can't be important, so we have to show what's important
and why," he says. Cloutier works closely with the financial
organisation to create models of risk impact - how it affects
investments, revenues or business-unit financial models - and
probability, based on comparisons with others in the industry.
"We use a lot of financials because we're a financially focused
company," he says.
2. Show the business link
Even if you can't get hard numbers, be sure to request funding only
for initiatives that align with current business concerns, Cloutier
says.
For instance, if the current business concern is top-line revenue, how
can you help do that faster? If it's closing the sales cycle faster,
what programme can you initiate to speed that up? If the concern is
expense reduction, what can security do to reduce fraud and waste?
"If you can articulate that and show a direct link - not just a speech
that points to something, but actually show a link - that gets
corporate leaders behind your efforts to support them in reaching
their goals."
3. Watch your language
You won't get far in your spending requests if you don't tune your
message to the audience, whether you're presenting your case to the
executive board, the IT group or the mailroom staff.
"You should constantly be shifting gears in the way you talk to
various prospective customers," says Jason Clark, chief security and
strategy officer at Websense, a security solutions provider. "IT cares
about operational details, but that's not the same conversation you
should have in the boardroom."
Alan Nutes, senior manager of security and incident management at
Newell Rubbermaid, echoes this advice. "If you're talking to senior
management, use C-level words," he says. "A security professional
might say 'loss prevention,' where a C-level executive will understand
'asset management.'"
In an executive-level pitch for more firewalls, you might use the
metaphor of needing brakes on a car, not for stopping but to go faster
safely, Clark suggests. "Or if executives want to bring iPads in, you
don't want to be the guy saying, 'No iPads'; it's 'Yes, iPads, but
here's an extra piece of software on the network to secure it."
The fact is, most business executives only become concerned about
security violations when it's clear how the exposure will affect the
top or bottom lines, and it's your job to make that connection for
them. When Cloutier's team recently conducted a review of
business-process risk, for instance, it discovered its data-monitoring
controls were no longer optimal for one unit because of a change in
the way the unit was transferring data. To make the case for the
technology upgrade that would fix the issue, the team made the link
between the security weakness and the unit's ability to get
certifications that would allow it to win more contracts.
"We put it in terms the unit would understand," Cloutier says. "They
weren't so concerned about the actual security violations, but how it
would impact their ability to generate new revenue because certain
certifications would not be available to them otherwise." As a result,
"they became our number-one business supporter in deploying new
technology to remediate it," he says.
4. Make it personal
If you want to get someone's attention, lay an issue right in their
front yard. Once people are made to feel accountable, they will take
interest in - and hopefully become advocates for - your proposal. For
instance, Cloutier makes a habit of identifying which business leaders
"own" which risks and then publicises these assignments.
"That's powerful - people don't want to be seen as responsible for
risk, so they become supporters in helping to mitigate it," Cloutier
says. "It's not about fear and uncertainty, it's about feeling
accountable for a problem in their area and deciding they're going to
help resolve it." The technique encourages a partnership approach,
which drives the needed resources.
Clark similarly believes in the power of publicising ownership. He
uses a device that he created earlier in his career, which he calls
the "Good, Bad and Ugly" chart. The diagram depicts where each
division stands in its progress on current security initiatives. At
one company, Clark shared this chart with the CEO and requested that
the CEO voice his support for the initiative in his quarterly address.
Not only did the CEO promote the project, but he also called out the
president of one division that had fallen far behind in achieving
project milestones, saying that failing to catch up would result in
termination. "Suddenly, everyone was coming to me, asking what they
needed to do to catch up," Clark says.
In large companies, it can take some educating to get certain
divisions to feel ownership. For instance, at a global manufacturer
that Clark worked for, the oil refinery division had lots of interest
in security, but a manufacturing division was more tuned in to keeping
its factories operational.
"We had to show them that regardless of what they're protecting,
they're part of the overall corporate risk," Clark says. "You're only
as good as your weakest link. That is a conversation I've had multiple
times because different areas didn't want to spend the funds."
5. Preview your plans
You usually only get one shot when you request funding, so Gunthner
suggests practising your pitch before showtime. "When I set out to
sell a new initiative, I'm looking at three things: Does it make
financial sense, what is the business value, and does it support the
business strategy," he says. "So after doing all my homework, before
officially presenting it, I present it informally to various key
stakeholders so I'm not taking something out of the box they've never
seen or heard of before."
By the time you make the formal presentation, you have a number of
people in your corner who understand the value of what you're trying
to do, he says. And if there's a lot of pushback, you need to evaluate
whether it's time to move forward or go back to the drawing board.
"You typically only have one chance of getting a yes, and if you get a
no, you can't go back for several years," Gunthner says.
The stakeholders you gather don't need to be part of the ultimate
group making the decision, he says. They just need to be people in
divisions who may be affected, for example, facilities, a particular
business unit, finance, legal or HR. "I try to rally as many of those
people in my corner as I can so that when the day comes - whether
they're in the room or not as part of the official decision making - I
can say I consulted with XYZ and they're in support of it," he says.
Even if it takes weeks or months, Gunthner says he doesn't move
forward with his funding requests until he gains consensus. "All it
takes is one stakeholder to say, 'I don't agree,' and the thing is
dead in the water," he says. "Let them shoot holes in it--you would
rather know beforehand versus when you get turned down altogether."
6. Play politics
It's also a good move to surround yourself with people who hold power
in the organisation, such as top money-making business areas, Clark
says. "If you get them bought in, everyone else will say, 'If it's
good enough for them, it's good enough for us,'" he says. Does that
sound cynical to security do-gooders? "That's how the business world
works," says Clark.
Additionally, when communicating to the company about the security
organisation's activities, it's not a bad idea to piggyback
newsletters or articles onto communiques that a high-level executive
is already sending out. At a previous employer, Clark contributed a
monthly column to a weekly newsletter that the number three executive
in the company sent out. At another company, he paired up with the
CIO's ongoing communications.
"I ask the highest-level person I have a relationship with to send it
out," he says. These missives are also a good way to build a campaign
for an initiative for which you're trying to gain support.
7. Read their minds
It doesn't take a psychic to forecast the concerns and questions
certain stakeholders will have - all it takes is a quick study in
human behaviour. "Certain individuals have hot-button issues they
particularly want to dig into," Gunthner says. For instance, HR may
have a particular sensitivity to certain employee relations issues,
while facilities may be concerned about misplaced assets. "To know
what those are and address them in advance gives you a much better
opportunity to get your proposal through," he says.
8. Watch your timing
Timing is not always something you can control, but it's important to
keep in mind that it's "key, key, key," Gunthner says. Even great
projects that clearly support business strategy and promise a great
return can get turned down if the decision maker is, for whatever
reason, having a bad day. "You have one opportunity to get a 'yes,' so
timing is crucial," he says. "If you have the ability to pick the
right time to present your project, do so. This will increase your
chances of getting a 'yes.'"
9. Show, don't tell
When presenting to the C-suite, visuals can express your ideas more
clearly and quickly than words. When Clark wanted to convey risk
exposure to executives at a former employer, he created a mash-up of
the company's web security tools and a spinning globe. He showed a
rain cloud advancing over certain cities to show where the risk was
highest. "The CEO asked if I could guarantee we wouldn't get hacked,
and I said, 'Can you make it stop raining?' No, but you can prepare
for the storm to reduce your risk," Clark says.
At eBay, Cullinane has developed a dynamic "risk curve" visual that
illustrates the relationship between spending and risk levels. "It
tends to get pushed up to the right as new exposures are found and
moves down when we take actions to reduce exposure," he says.
Clark also believes in the power of storytelling as a vibrant way to
enliven security exposures and successes. He has gone so far as to
hire a security marketing analyst, who spends one-third of his time
storytelling, whether it's to secure funding or report on ROI. This
person is a creative communicator and natural salesperson who, for
instance, tells executives what they got for their money, beyond
standard ROI, and puts relevant context around news stories of
security mishaps and explains what could reduce that kind of risk.
Beyond visuals and storytelling, Cloutier has occasionally turned to
the power of the hack to illustrate a technology-related risk.
"Especially on the cyber side, we show them how easy it would be to
get hacked," Cloutier says. "It's hard to argue."
Similarly, Clark has set up hacking challenges that determine whether
he gets funding. At one company with a large number of external-facing
websites, the developers firmly believed they had battened down all
the hatches and were balking at putting up the money for a particular
security initiative. Clark issued a challenge: If he could hack into
five of the websites, they would allocate the funds. They agreed, and
he was successful. "It was a gamble, but I was pretty confident," he
says. Doing something attention-grabbing is sometimes key, he says.
"To be a change agent, you have to be creative and convey things in
interesting ways they haven't heard of before," Clark says. "Often,
people have their objections already lined up, so you have to think
two steps ahead and come at it a completely different way."
________________________________
