How to sell security to the C-Level
I just read Justin Strong's guest blog on the above subject and, although I don't disagree with his points, I don't think that he's stayed on-subject. Surely the key message is that information security is not IT's problem alone to resolve and it's certainly not entirely their budget that's up for grabs. It's a business problem. The business is at risk if it doesn't take seriously the need for good processes, procedures and tools to protect itself. It's the business that needs to find the budget and offset that against the risk that has been determined if a breach should occur.
IT can knock on the doors of the C-levels as much as they like but are unlikely to get much of a reaction with the usual fear, uncertainty and doubt tactics. How can IT determine the cost of a breach to the business? They simply implement new systems and services to assist the business requirements.
Information Security has to start at the top and run through every level of the organisation. IT might be asked to implement a new service or solution but it's the business that has created the need for it, so it should be the same management involved in considering the business risk of introducing the new service and the cost to mitigate.
With a proper Information Security structure in place within the business, there is an inherent understanding of best practice and what needs to be reviewed when new systems and services are introduced. Now IT can take its proper role within the process which is to ensure that the new service works properly in the knowledge that any business risk has been assessed and that the necessary protection has been budgeted for and implemented.
My advice? Get a quality consultancy in to run through a Gap Analysis with ISO27000 as the benchmark. This will identify where the business is in terms of its security and the C-levels can decide where they think the business should be. The Gap can then be addressed by setting up a proper information security team within the organisation with the C-levels involved. Once you've achieved that then there is no need for IT to "sell" the need for security and the associated budget.
Okay, it's not a perfect world and it's not easy to get consensus but security has to come from the top. The budget will follow.
