Security

Eight tips for justifying security infrastructure investments

Computer crime can cost a company thousands, yet companies still drag their feet on proactive security. Here are the SANS Institute's eight tips to help you prove that security is worth the money.


Security problems can seriously compromise a company's bottom line. For example, computer viruses caused companies an average of $61,729 last year, according to the Computer Security Institute. Denial of service attacks cost companies an average of $108,717. The total annual loss last year for all forms of computer crime? More than $265 million.

Visit our Security Briefing Center
Want to learn more about security? Visit TechRepublic's Security Briefing Center.

Still, it's sometimes difficult to convince executives to invest in infrastructure security. How can you persuade your company's president that security is an essential, not extraneous, expense?

Here are eight ways to justify security infrastructure investment from the System Administration, Networking, and Security (SANS) Institute’s 2001 "Network Security Roadmap Poster":
  1. Perform a risk assessment to determine the value of your assets and the current risks to those assets.
  2. Prove that your network is at risk. One way to do this, according to SANS, is to set up a passive network sniffer on your network backbone. This will show the frequency of remote access attempts and probes.
  3. Generate a risk report by using a high-profile tool to attack your network from the outside. Such tools include Database Scanner from ISS, nmap, Nessus, or Cisco’s Secure Scanner.
  4. Explain the business impact on the company's reputation, revenue, and profits if there's a widespread report that your site has been compromised.
  5. Discuss the business implications of a denial of service attack.
  6. Provide regular briefings that include up-to-date information about recent attacks, including recent cases where companies’ sites have been compromised and the financial impact this caused.
  7. Assess and explain the risk of insider compromises. Be sure to consider what types of information are being sent outside the company, how much time employees waste online, and the liability the company may face by employees' sending inappropriate e-mail or accessing questionable sites.
  8. Hire an outside consulting firm to perform a vulnerability assessment on key areas. Your assessments may be taken more seriously if confirmed by an independent consultant.

How did you convince the company to invest in security?
We'd like to hear your tips for convincing non-IT professionals about the necessities of security. E-mail us your story or post below.

 

Editor's Picks

Free Newsletters, In your Inbox