Chasing the elusive approval for an IT-security budget

There are always challenges selling upper management on an IT-security solution. Michael Kassner found some help -- risk management analysis. Here's how you can use it to help bolster your argument.

Risk management is something each of us do. Every waking minute, we evaluate risk and make decisions based on our assessment. The process is so automated, one has to really slow down to understand what's happening.

For example, step through how you determine if it's safe to cross the street.

Can't eliminate risk

The crummy part is that risk cannot be eliminated -- no way, no how -- only reduced. To understand how risk can be decreased, experts divide it into the following classifications:

  • Inherent Risk: The risk to your company in the absence of any actions you might take to alter either the likelihood or impact.
  • Residual risk: The risk (also known as "vulnerability" or "exposure") that remains after you have attempted to mitigate all inherent risks.

Residual risk is the one we need to worry about. We know to look both ways before crossing the street, but seldom look up -- residual risk -- missing the meteorite that's headed straight for us.

Residual risk is the one that drives security experts and upper management nuts. Why that is may not be readily apparent. I initially thought -- wrongly, of course -- that it was based on trying to determine all possible risks. Nope, that's not it.

Balancing act

We agree that risk cannot be eliminated; so, how hard does one try to reduce risk? When is the cost of reducing risk more than the cost of having the risk occur? That's the tricky bit and what keeps risk assessors up at night.

Trying to understand, I waded through several papers posted on the website Risky Thinking. You know how that went. Then I found the paper, "Quantifying Risk and Cost of IT Security Compliance" by Ron Lepofsky, CISSP, CISM, and President of ERE Information Security and Compliance Auditors -- an information security, audit, and compliance company.

IT risk management

I had my fingers crossed; Ron's article appeared to focus on IT security. And that's important. I've lost track of all the readers who have commented on how upper management is clueless when it comes to IT security: "All they want to know is how much it costs."

After my first read, I knew Ron's article was the real deal. It explained what speaks to upper management and how IT personnel should present it. Trouble is, I don't speak risk management. So, not wanting to mess up, I contacted Ron.

Ron got back to me, mentioning he was on vacation. I had a sinking feeling, and a deadline looming large. He thankfully added, "If Internet access was available, I'd be glad to answer your questions." Yes.

Kassner: Most IT managers are familiar with the concept of risk management, but that's it. What are your suggestions? Lepofsky: Managers should factor into their decision process what is deemed acceptable by upper management. I would consider the following as potential residual risks:
  • Loss of revenue or production due to unavailability of production resource
  • Time and effort to recover from a security related loss of production
  • Legal
  • Damage to brand
  • Regulatory compliance violations
  • Privacy compliance violations
  • Damage to client relationships
  • Loss of intellectual, competitive, or proprietary information
  • Uncaptured profits resulting from inability to demonstrate to clients a strong security process
Kassner: In the article, you mention the need to speak the language of upper management - ROI, essentially. Is it possible to assign a monetary value to a risk? Lepofsky: Cost is the resulting impact on the business should a risk become a reality. To help determine potential costs, I'd suggest the following:
  • Soliciting advice from financial management, lawyers, and risk management consultants
  • Conducting a straw poll of stakeholders, each estimating the downside cost of an event
  • Participating in fact-gathering surveys of similar businesses, each providing a cost analysis of a security event
  • Purchasing statistical information from industry experts or industry associations
Kassner: After you get a handle on potential risks, you claim it's important to determine the likelihood of an event happening using Annualized Loss Expectancy (ALE); could you explain how it works? Lepofsky: ALE is the monetary loss resulting from an asset being compromised over an entire year and is calculated by multiplying SLE by ARO. Where:
  • Single Loss Expectancy (SLE) is the expected monetary loss resulting from one instance from an asset being compromised
  • Annual Rate of Occurrence (ARO) is the expected number of occurrences per year
Kassner: We now understand how to assign a monetary value to individual risks. The next order of business would be to figure out what it costs to prevent each risk. You mention:

"Security professionals are well acquainted with determining the costs of mitigation. Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.

The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance."

You then advise responsible parties to consider the following mitigation steps:

  • Re-engineering processes, both technological and people processes
  • Policy -- people and technology
  • Technical security
  • Physical security
  • People processes
  • Training and awareness
  • Third party auditing to verify effectiveness

You are right, nothing new there. But, your next comment was an "oh-duh" moment for me, and honestly, the reason I wrote this article:

"IT-security types are good at protecting, but not so good at convincing the powers-that-be why it's necessary."

The following graph seems like something management would appreciate. Would you explain what we are looking at?

Lepofsky: The graph above shows the relationship between two factors:
  • Potential loss versus risk (percent chance of an event occurring)
  • Mitigation cost versus risk (percent chance of an event occurring)

The optimal cost for spending on security is the amount determined by the intersection of the two lines. And the green curve above that is the total cost of risk where:

Total cost = cost incurred by losses + cost of mitigation

In planning a security budget, the goal is to minimize expenditures, so a corporation would ideally not spend more on mitigation than the expected potential losses. As a sanity check, the total costs associated with risk should definitely be greater than the mitigation costs, or something is terribly wrong with the financial planning of risk mitigation.

Kassner: I see one small problem -- well, maybe not so small. I'm thinking of the small-shop, harried IT person. What advice can you offer them? Lepofsky: This is a huge problem. It is unlikely that IT-security techs will have the time or resources to perform risk analysis when creating a budget.

First step is to determine if management has any documentation assigning risk priorities to company assets. If not, then I'd suggest making upper management aware of the benefits of risk analysis. At least then they can make an informed decision about security budgets. Whatever the decision, I would recommend the IT department ask for management's resolution in writing.

Final thoughts

Speaking the language of risk management and optimal cost points should make convincing upper management a lot easier. I'm anxious to try it; I'll let you know how it goes.

I'd like to thank Ron for shedding light on a very complex subject and helping us IT types better understand upper-management speak.

var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");

document.write(unescape("%3Cscript src='" + gaJsHost + "' type='text/javascript'%3E%3C/script%3E"));

// -->

try {

var pageTracker = _gat._getTracker("UA-9822996-4");


} catch(err) {}

// -->


Information is my field...Writing is my passion...Coupling the two is my mission.


Part of the problem for SMBs is that implementing platforms and frameworks generally requires a backend infrastructure, and the manpower and skills to maintain it. Cloud services change the math and make it cost effective for SMBs to compete on a level playing field. This article I read recently shares some good information about cloud security and data backups for SMBs:


Just wanted to point out that sum of two linear graphs cannot produce non-linear line. For a manager with enough maths background this would be obvious.


I do equipment builds, while they focus on earnings and productivity improvement, risk mitigation is always included. One thing I would include is a failure escalation. When the corp of engineers dams a river to prevent yearly flooding they in fact generate a new but lower incident risk of dam catastrophic failure. In a wartime environment the actually risk of failure and likely cost involved are worse. If a security policy involves backing up all data to a remote site there is a chance that all the data at that site could be breached. Or if the patching and updating system used to reduce vulnerabilities is itself suborned then all systems can quickly be infected or controlled. If you justify based on risk analysis it behooves the assessor to have a deeper understanding of the process involved. Otherwise it is easy to generate false value assumptions.


I have a reputation for massive overkill in mitigating risk and protecting data. I try to convince everyone there's more to a loss than just the bottom line. If a company's data becomes compromised, there is a psychological effect of the workers using that data. Sort of like if your house was broken into and robbed, you'll never feel the same about "home" anymore. I'd rather the excess protection be there, so if someone says 'no thanks' on a particular line item, I'll usually go ahead and do the work anyway. (and not emphasize the "freebie" aspect) I've been the Miracle Worker on at least two occasions where I put additional safeguards in place that the customer had thought unnecessary. I may make less money up front, but in this small town atmosphere the good will and reputation are more valuable than mere money. You might say I've payed for a bit of extra job security.

Michael Kassner
Michael Kassner

New Post Rather than wonder why upper management is clueless. Learn to speak their language and dazzle them into approving your new budget.

Michael Kassner
Michael Kassner

The total cost on either side of the optimal point will increase creating a line similar to the one shown.

Michael Kassner
Michael Kassner

Definitely can be widened. In fact, I think it might the opposite, IT types adapted risk management.


They will expect more of the same from you, and lowering the costs and providing freebies means you're driving down wages for everyone else in the field. But keep feeling warm and fuzzy all over. That's more edible than food. Thank you. (Do you really think we live in a community? No. We live as businesses.)

Michael Kassner
Michael Kassner

And, I am glad you brought it up. I can't speak for others, but I also have the small-town mentality. As for a "miracle worker", I do believe you are.


Otherwise, why spend the money to just ignore who they hire? It seems the avenue can go both ways...


Where I am there is no escape from reputation. The upside is if you're perceived as reputable, capable and even loyal to a degree you have a lot of latitude. A screwup that would get someone fired in a faceless "I've got a stack of resumes THIS THICK!" world doesn't necessarily spell the end of a relationship in this environment. Not that I depend on anyone overlooking screwups. I haven't worked any IT in a highly competitive environment, but do have experience in perhaps one of the most competitive environments you'll ever find: working corporate aviation in New York City. I have to say I really see little difference in how to succeed anywhere on the spectrum. I 'went the extra mile' to land me a left seat, little different from how I approach my present labors. I've always believed that with an attitude of 'give, give again and just keep giving' you'll be noticed, appreciated and everything will work out your way in the end. I'm not saying you are wrong in any way, far from it. I'm just saying I have been insulated from the type of environment where I'm just another in that stack of resumes. In retrospect I probably insulated myself all along, without realizing it. BTW I did say I don't go making a point of having done something extra for a client. It's only if and when something like that makes the difference between a disaster vs no big deal that I mention it. If you've never been in a position to tell a CEO, owner, manager or what have you that "I took the initiative" that saved their hide you're missing out on rewards that go well beyond but DO include money.

Michael Kassner
Michael Kassner

Helping out as Pgit suggested, often is monetized in future business and additionally provides good will.

Michael Kassner
Michael Kassner

But, from the comments I am getting, upper management does not make decisions on just what someone says. And if they did, it still would help to speak their language.

Michael Kassner
Michael Kassner

My grandfather said on many occasions, we only get to take two things with us, character and reputation.

Editor's Picks