Business Case-driven IT Security Spending
In “10 Things That WON”T Happen in 2009”, David Kelleher argues that organizations will adopt a “Do more with less” approach to controlling IT security costs. While optimizing existing processes and resources can lead to short-term gains, doing so blindly may lead to long-term problems throughout the organization. Security spending strategies must support the core-competencies of the business and the needs of the customers that drive the bottom line.
The shift toward business-enabling security spending was highlighted by Forrester Research. They noted that small to medium-sized business will shift their focus from protecting against computer security threats to protecting their critical data. Their analysis also noted a movement towards managed security services. More importantly, the article showed that while businesses have yet to accept security as a business-enabler, they do recognize it as a business issue.
Before we can highlight the business case for security, we must understand the organization that will pay for those investments. In “Considerations and Foundations for Assuring Software Security: Business Case Models for Rational Action”, Don O’Neill notes that “cost is a function of perceived value.” An organization, he argues, will gain a competitive advantage from security investments only if its customers value security enough to pay for it. Thus, an organization must communicate its security strategy as a value-add for the customer.
How can InfoSec professionals influence their company’s brand image? They must first understand how security is perceived in relation to the business plan. They must then begin to market strategic IT security investments that enhance its competitive edge. Mr. O’Neill offers basic questions must be brought before the Board.
To what extent does the organization include its global supply chain management operation in its software security assurance operations?
To what extent are the management staff and technical staff trained in their software assurance management responsibilities?
To what extent is the organization legal staff trained in software security assurance?
To what extent are organization executive and senior management trained in their software assurance management responsibilities?
To what extent are the members of the board of directors informed of their software security assurance oversight responsibilities?
As mentioned in the first part of this series, the value proposition of security must be championed by professionals who can communicate how those investments enable the business.
Previous Post: Making Information Security matter in 2009 - Part 1Next Post: Invincibility vs Vulnerability
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
