Tech Insight: Helping Security Find Its Voice

With budgets tighter than ever, it's time for a new strategy for selling security to the business side
A Special Analysis for Dark Reading

With budget decisions under greater scrutiny during this economic crisis, it's even more important that security professionals, both engineers and managers alike, present their case so that they are heard -- and understood. That will require several tactics, as well as reprioritizing what problems need solving first.

Times are hard, and budgets are tight. It's a sad but real fact that IT security teams typically have difficulty getting their messages to their upper management and C-level executives who hold the purse strings and make the big decisions.

In both the small and large organizations where I've worked, the problem is always the same: selling management on why security measures, like multifactor authentication and enterprise patch management, need to be put in place, why those measures cost what they do, and why now, when nothing bad has happened, they need to be implemented. The latter is becoming a little easier to explain, thanks to increased publicity and attention to data breaches. Major breaches like TJX, at least, provide good examples we can cite while explaining the urgency and importance for wireless intrusion prevention or database encryption products.

But using other companies' data breaches as examples may not be enough for some organizations. It may take experiencing a sizable data breach of its own for management to see the light and realize changes need to be made. Of course, that leaves the security team manager to explain why the breach occurred, and then possibly have to cite management's lack of support for security initiatives as the root cause. That's not exactly a comfortable position for any security professional.

No matter what size organization I've worked for, there have always been individuals who saw security as an obstacle; other IT groups are enablers, but security is considered the disabler. So it's critical as a manager of a security team that you fully and effectively explain the importance of a project your team is working on, how it will protect the company without affecting the overall mission and productivity of other groups, as well as provide metrics that demonstrate your team's excellent job.

IT security metrics are tricky. It can be difficult to quantify and evaluate the effectiveness and benefit of security initiatives to the bottom line because there is no general consensus on what constitutes a valid and meaningful measurement. And there's no way to know which metrics will make your management sit up and take notice. The important metrics in a university environment will differ from those at a financial institution. Some examples of commonly used metrics are the numbers of security incidents, vulnerabilities, attacks, blocked spam, encrypted laptops, and machines up to current patch level.

One approach my team has found valuable is tracking security incidents across the entire university, the time it took to resolve each incident, and the type and impact of the incidents. Semester incident reports are then created that break down the different areas and graph them for a historical perspective that quickly shows areas of improvement over a multiyear period. One recent metric that you can use for showing how well your vulnerability detection and patch management is performing is a graph depicting the speed at which your team was able to get all hosts in your company patched when Microsoft's out-of-cycle patch MS08-067 was released.

Rich Mogull has an excellent blog entry on Dark Reading, titled "The Security Pro's Guide To Thriving In A Down Economy," in which he says, "If it doesn't stop an obvious threat (by obvious, I mean anything that kills e-mail or the Website), meet a compliance requirement, or reduce existing costs, odds are it's a bigger budget-cutting target."

That is an excellent starting point for getting management's attention. Take a moment to review what projects your team is working on, what you have queued up to pitch to management, and see which of the three areas Rich describes is the right fit for your project.

Projects that don't fit into those areas will need to be re-evaluated and either scrapped or refocused in a way that targets one or more of those critical areas. Management understands compliance, or at least knows it is a necessity, and I know of numerous groups that received substantial budget increases thanks to HIPAA and PCI-DSS. Likewise, being able to target a specific threat like data loss could spell dollars for laptop encryption and data leakage prevention products.

And when you finally get face time with management -- often 30 minutes or less -- you have to make your case convincingly and prove value to the business. Remember to provide metrics that can be easily explained and make sense in terms of how those metrics kept the company running: the amount of spam blocked by the new spam filtering appliance; what compliance rules have been met with the new enterprise log management solution; or how quickly your team handled an incident, preventing downtime and potential loss of customers and public embarrassment. Visual aids can be crucial to getting your point across to management with those metrics and the job your team is doing.

And don't be afraid to promote your team's successes. It's important to show how what you do helps protect the business.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message