The Five Rs: Building A Business Case For Information Security

If the economic downturn has proven anything, it's that many CISOs still struggle to articulate the value of their security programs and justify the security budget to business and executive management. Many helplessly watched their budgets slashed, their projects postponed, and their employees laid-off.

Many CISOs are experiencing a rapidly changing environment today where business is demanding more of the security organization, consumerization of IT is usurping control and new architectures are required to address issues of shrinking perimeter, virtualization and web 2.0 technologies. At Forrester's upcoming Security Forum, we'll take a closer look at these three significant shifts and how to address and effectively communicate these changes to business.

Also see: 5 Tips for Managing Security in a Recession

While some of the lay-offs and budget cuts may have been necessary, many CISOs wonder whether stronger relationships with the business or better articulation of their message would have made any difference. Forrester worked with to some of the most successful CISOs at large, global organizations, and developed these five categories that help articulate the value of information security to the business: reputation, regulation, resilience, revenue, and recession.

Depending on your audience, we recommend that you use all or some combination of these business value categories to make the case for continued investment in your security program.


The impact of security breaches on well-established brands in recent years has resulted in huge financial losses. Not only are the external threats from the hacking community becoming more sophisticated and targeted, the amount of damage done by internal threats—the intentional or unintentional actions by your own users—has also been steadily increasing over the years.

CISOs must underscore the importance of security on the company's reputation by protecting against an increasingly complicated internal and external threat paradigm, and preventing abuse from third-parties and business partners.

One pharmaceutical company we spoke with started getting complaints of adverse patient reactions from a geography where they had miniscule sales. The security team, working in conjunction with the fraud department, was able to uncover that a business partner account had accessed manufacturing details and packing specifications for the product a few months back. Moreover, this partner was suspiciously monitoring the business and marketing plans from a centralized server. Upon further investigation, it was discovered that counterfeit drugs were being manufactured and sold in that geography under the same brand name. [Editor's note: See Drug Busters for an in-depth look at preventing pharmaceutical counterfeiting at another company.] By stopping the activity, the security team protected the corporate brand from further damage.


As regulations stack up, the requirements seem to increase exponentially. The security organization is tasked with not only managing the IT compliance requirements to multiple regulations, but doing it so efficiently that a single audit or assessment can be used multiple times. CISOs should focus on the following areas when articulating the value of regulation: complying with multiple regulations simultaneously by developing a common security and audit framework - not just meeting the letter of the law but also incorporating the corporate perspective - and avoiding fines and penalties for non- compliance. As a good example, a retail outlet was able to avoid potential fines of $50,000 a day by putting in place an application firewall that carried a little over a $100,000 price tag.

Revenueprotecting the corporate intellectual property. But savvy CISOs go one step further and bolster their value articulation by pointing out that security helps with protecting IP from being stolen or disclosed and finding new business by marketing better security. In some industries such as financial services information security is part of the corporate marketing. Bank of America, for example, has successfully marketed itself as a bank that values its clients' privacy and security. As a result Bank of America has come up with innovate way to increase revenue through consumer security, such as offering two-factor authentication tokens for a small fee. For companies in such industries security is an absolute necessity just for both their internal users and their customers.

Although information security does not always contribute directly to the revenue of a company, it's often instrumental in

Resilienceensuring continuity of critical business processes during these times and coordinating and responding to threats and incidents efficiently.

Resilience is a top concern for many organizations due to pandemic scares disasters such as hurricane Katrina or the tsunamis in the Far East. Many companies realized during these unfortunate disasters that they had no plans and processes in place to deal with them effectively. Security can help by

A service provider in the Gulf region lost all its business when both its data centers—30 miles away from each other—were destroyed in hurricane Katrina. The company did not recover from this loss and had to file for bankruptcy. On the other hand, a financial service company was not only able to switch over to its back-up facility in the northeast without any major hitch, but they were also able to account for 99% of their staff within three hours of the hurricane hitting the coast. The business continuity efforts were spearheaded by the security team and coordinated with the disaster recovery team from IT. Although the company did suffer a loss, it was able to recover completely in less than 48 hours.

Recession: Security Reduces The Spend To Counter Economic Pressures

Some would argue that talking about the current recession doesn't help articulate the business value of information security. But many CISOs have found that in the current environment, this may be the only way to get management's attention. CISOs can help them achieve their goals in tough times by lowering costs by investing in strategic vendor relationships, using existing products and tools more effectively, and creating efficiencies in business processes.

As an example, a manufacturing company spent approximately $3 million every year on manual compliance processes. The CISO of the company proposed a GRC tool to streamline efforts by creating efficiencies around the audit and compliance processes. The company was able to save close to $2 million over three years by combining their various IT governance, risk and compliance activities, such as auditing, assessing, testing, and reporting.

Many CISOs have been so focused on responding to threats and managing day-to-day operational issues that they haven't focused on answering some very basic questions posed by their business peers. Implementing the five R's will help you better articulate the value of your security program. ##

Khalid Kark is a Principal Analyst at Forrester Research, where he serves Security & Risk professionals. He is a leading expert in information security program governance. He will be delivering a keynote speech at Forrester's Security Forum, Sept. 10-11, in San Diego. Forrester is pleased to offer CSO readers a $405 discount off the standard conference rate for Forrester's Security Forum 2009*. To register, call Forrester Events at +1 888.343.6786 and reference VIP Code SF9CSM.

Copyright © 2009 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.