How to Build a Better Business Case for Security Investments

The best business case is one built and presented by the business.

. What's this?

By

June 01, 2004CSO — Choosing her words carefully, Nina Burgess describes her employer, Fortune 500 financial company Comerica, as "very intentional." By that, she means it's a company with lots of process and a deliberate decision-making model. If you want to spend the company's cash, you'd better have your business case down cold. That's because you'll have to make your pitch to the Strategic Investment Committee, an august body of top-level leadership that generally meets every four months to scrutinize every major investment proposal. The company has a multistep process for ensuring that the business case presented for each project is truly accurate.

So how does the information security group get a significant security investment through that gauntlet?

Ideally, it doesn't. The businesspeople do it.

That's how it came to pass that Burgess, vice president for product development in the company's treasury management business, found herself pitching the Strategic Investment Committee on encryption software. Burgess says her business unit needs to share lots of data with clients old and new. Unfortunately, over the past several years, sharing that data in a secure manner has become so difficult that it hindered Comerica's ability to sign up new customers. Burgess went to the information security group for help. Top of her list of requirements: simplicity. Some of Comerica's customers are smaller companies that can't afford expensive client software and don't necessarily have large, sophisticated IS groups. Common solutions such as PGP (Pretty Good Privacy encryption software) were too complex for these clients, according to Kenneth Schaeffler, first vice president for Comerica's corporate information security serviceswhich meant that Comerica's own IS manpower would get tied up solving customer support issues.

Schaeffler's group routinely scours the landscape of emerging infosecurity technologies. (Schaeffler calls this systematic effort the "security architectural domain process," in case you thought talk about Comerica's process-heavy style was exaggerated.) When Burgess approached the information security team with a bulleted list of requirements, the group found a possible match in software from a company called Cyber-Ark. Cyber-Ark creates an encrypted electronic "vault" into which sensitive files can be placed; remote clients and customers can log in and access the files via the Internet, instead of using FTP or other standard solutions that may be slower or are not designed with security in mind. (In other industries, Cyber-Ark gets used for storing things like CAD/CAM files or even password lists.) Scott Vowels, vice president of security architecture and engineering, says the Cyber- Ark approach proved easy for clients to manage—satisfying Burgess's top requirement—as well as being in sync with Comerica's overall information security architecture.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER