As an IT consultant, I visit with a variety of organizations looking for me to assess and tell them how much they need to budget for security. There are two common scenarios:
- The organization is ready to make a commitment to security. They ask me to quantify their security investment based on a certain metric, such as number of PCs/Servers or how many employees they have. And the truth is telling me these metrics aren't going to lead me towards a thoughtful recommendation.
- The organization is “anxious” about making a commitment to security, and tends to hesitate about making security investments due to not fully understanding the practical benefits. Meanwhile, they sit on the fence and put the organization at risk.
People often take the same attitude towards security that they would for other capital expenses: “Well, I need to purchase new desks for everyone, and we should spend about X per desk.” It’s an item that they look at as either a necessary cost to operate or a fee that many of them would like to avoid. Security isn’t a matter of productivity to them, and it is not looked at as a tool. In many ways, I suspect that old paradigms when it comes to how organizations make budgeting decisions lead these same organizations to make significant mistakes when planning and budgeting security into their IT budget. IT companies don’t always help because salespeople refer to security as something “you have to do.” I don’t know how everyone else feels, but I know when I make purchasing decisions in my life, I don’t like buying things because I have to. I’d like to take the opportunity to speak about how the message regarding security investments when it comes to IT needs to change, so that when you go to the person who is going to approve your security expenses (whether you are a vendor speaking to a client, an in-house IT manager, or a compliance officer making the case to an Executive Committee) you can move in the right direction and implement what many of us recognize as an important investment. Security is, first and foremost, a risk mitigation tool. You are placing a bet. For example, when you purchase a firewall, you are betting that by deploying a firewall on the perimeter, you are less likely to be compromised than if you had no perimeter-based solution. You want to protect something sitting behind the firewall, and the likelihood of an incident occurring is much greater if you did nothing. Second, security is meant to protect assets. The bank has a lot of security in place on the vault, but if you go to the lobby you will notice that the deposit slips and BIC pens are not protected at all. Why? Because the asset they care about is the money, not the various little things scattered throughout the building. Third, there are always options with security and sometimes the same goal can be achieved in multiple ways. Keeping the first two principles in mind, the goal of security is to lower risks associated with managing assets (in this case, data assets). Want to avoid getting a PC infected due to visiting dangerous websites? You could install a proxy solution that tracks URL requests and blocks suspicious sites, or you could disable surfing to certain URLs in your firewall, or you could use a software-based tool that blocks sites on the browser level. These could all help, but there are other ways to lower the risks associated with this too, like having a strict policy regarding the sites employees surf, with consequences associated with violations of the policy, or simply disabling web surfing altogether. There isn’t necessarily a wrong or right solution. My approach to getting a budget prepared and approved for security solutions (technology or procedural) is to step back and find out what matters to the data owners or stakeholders first. This is ultimately going to determine what kind of solutions you use. It’s going to be up to the data owners who are spending the money to tell you what matters to them. Your job, as a trusted advisor to the data owner, is to bring them solutions that meet their goals, and not a preconceived notion of what security means to that client. For example, if I’m dealing with a medical practice, and they are concerned with HIPAA compliance (protecting patient information), as well as giving their staff flexibility in the way they work, then our discussion regarding security investments is going to start by illustrating the costs associated with plausible security incidents specifically as it pertains to the assets they care about. What’s the asset worth, and what level of risk are they comfortable with? Is user flexibility very important? If so, they should be prepared in making a greater investment in technology and support. Once you present them with a budget of security solutions that meets their goals of protecting their assets, they have to make a choice. Getting back to my example, perhaps the initial recommendation for security was too costly because we had to deploy an expensive solution, such as disk encryption on all computers. At that point, the client has to consider what they are willing to live with. Perhaps initially they wanted their staff to have maximum flexibility to work and keep sensitive data on all devices but disk encryption is just too expensive, and as a result, they create a rule for the staff forbidding them from storing data on any PC. This alternative solution is less expensive, but still meets the goal of protecting the asset. To summarize, if you want to help an organization make space for security, you have to frame the conversation in a way where a return on investment can be felt because it meets the goals of the data owner. When the conversation is focused on the goals, you are much more likely to come up with both a flexible and effective overall security posture together rather than dictate a solution to the data owner and hope they go for it.
About the Author: Ben Schmerler is a vCIO Consultant at Choice Technologies, Inc., one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow Choice Technologies’ updates on LinkedIn. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
