Making the case for security spend

When you talk to as many companies as I do, you begin to see pretty clear patterns in the way people think and the issues they struggle with when implementing cybersecurity programs.  The vast majority of my time is spent explaining to customers the importance of security and how they will benefit from it.

This is where I often hear the same phrase over and over again, “I totally see what you are talking about, and I agree, but how am I going to justify this expense to the people who write the checks?”

Thankfully, my career isn’t spent only describing technical jargon like ‘message security headers’; a good part of my job is in helping our customers evangelize the solutions they are investing in to their own customers and management.

I decided to share the steps I take in helping my customers with you.

Know your audience

There are a few approaches you might take to explaining the importance of spending on security, but before you even begin to have this conversation, you need to think about the people you are going to be talking to.  If there has ever been a message I’ve continuously repeated to security professionals, it has been the concept of getting to know your business leaders and managers.  You need to know what makes them tick before you begin a conversation where you hope to influence them.  To put it simply, the argument you make should cater to the type of person you are talking to, I’ve included three typical leadership personalities below:

• Driven by numbers: The bean-counters in our lives.  This person clearly needs to know the facts and that your argument makes financial sense.  You might need to focus on ROI.
• Driven by emotion: You might eventually talk numbers, but this person is much more interested in knowing the damage a security breach might inflict on the brand and company overall.
• The visionary: An interesting combination of numbers and emotion.  With this person you might combine emotional arguments with a good mix of financial ones. Focus on the positives.

So, once you have an idea of the personality of the person who holds your purse strings, it’s time to make your argument.  Of course, there are many variations of how you can approach this discussion but for brevity, we’ll focus on the two leading strategies that make the most sense.  Let’s talk about ‘preparing for the unknown’ and ‘how to get a return on our investment’.

Preparing for the unknown (the fear argument)

I find that people typically jump to this argument by default, so we’ll talk about it first.  Fear is actually a great motivator for people to spend money.  We’ve all heard of ‘preppers.’ Those are the folks who have spent a lot of money simply on the notion that if something bad happens, they want to be prepared.  While sometimes those fears may be a bit misguided (alien attacks for example), other times they make quite a lot of sense (living in tornado alley).

The problem is, most people enter these conversations being ill prepared to present the facts and simply argue “what if a hacker attacked… we’d be in a lot of trouble”.  Ok, sure, that’s true… but you could have been a lot more detailed if you had prepared a bit more.  Take time to study the real impact attacks have had on other companies and use these real-world examples to help make your arguments.  Consider these examples:

Make the case: Target

The archetypal example of what ‘could’ happen.  Your arguments on the impact of a breach don’t need to be theoretical, rather, in the case of Target it can easily be measured.  Consider the impact of 40 million credit cards and 70 million user records being stolen:

• 46% drop in revenue (an estimated 1.2 billion)
• $200 million paid to credit companies for reissuing cards
• $100 million spent to upgrade POS terminals
• $55 million severance paid to the CEO on his way out the door

Make the case: Wegelin Bank

Sometimes the case for security doesn’t need to be made on the notion of a hacker’s attack.  Switzerland’s oldest bank, Wegelin, was founded in 1741 and was a titan in the banking industry until its lack of internal controls brought it to its knees.  The absence of proper governance and separation of duties (SOD) allowed for certain bankers to open secret internal accounts and fake corporations with the express purpose of violating national tax laws.  Their executives were indicted and are protected only by existing extradition treaties that don’t allow for financial crimes.

To put it simply, don’t go into your argument without first studying real examples of how lack of security has impacted real business in real ways.  Whether it be ransomware, stolen IP, customer records, or simple theft, finding an example that matches your company’s footprint is not going to be difficult.  The impact is real and measurable.  How would a security incident hurt your company?

Getting a return on your investment

You might be surprised to hear that my arguments on the value of spending money on security start by talking about McDonalds and Henry Ford.  Intrigued?  Let me continue then.

Richard and Maurice McDonald were the first entrepreneurs to realize the market need for fast food.  But how could any drive-up diner ever dream to accomplish this?  By focusing on just a few items (cheeseburgers and shakes) and creating a streamlined, repeatable process to make these items quickly, average wait times for food at a diner shrunk incredibly to only about 30 seconds after making your order.  Revolutionary.

Henry Ford invented the modern production line and in doing so, decreased the time it took to create a Model-T to only 93 minutes!  They would say he could get a new car rolling off the line before the paint was dry… only the color ‘Japan Black’ would dry fast enough… thus, all Model-T’s were black.  How could anyone accomplish such a feat?  A consistent, predictable, repeatable process with common parts designed to fit together quickly and easily.  Ford dominated the early car market and is one of the few manufacturers still around today.

You can measure ROI in security spending

Modern security solutions provide repeatable, predictable, secure levels of automation, it’s this automation that wins the day in decreasing friction and providing agility to the business.  Ask yourself, how much time and effort does it take when a manager in your company asks for an employee to get access to a secure fileserver.  Without defined, secure, processes in place the task is carried out manually and the business is put on hold until the outcome is resolved.  Now, imagine a scenario where not only are there tools your business managers can leverage themselves, but ones that automatically carry out the request.  Another simple measurement is the time wasted by help desk analysts resetting user accounts when that labor could be distributed across the entire company by self-service solutions.

The beauty of this approach is, not only are we seeing a real increase in productivity, but the changes are being made in an environment that is governed and secure.  We keep the bad people out and the good people happy.  Automation keeps these accounts in check at all times, removing stale or risky entitlements, creating accounts in the cloud and more… we just sit back and watch it run!  In all honesty, there are very few modern security solutions available today where we can’t at least attempt to measure an ROI.

So, the data you need is there, how and what you present to your management is up to you.  Do you need to go with the warnings of the cost of failure or the promise of money and time saved?  It depends on your audience.  Know that the position you take doesn’t need to be one of desperation, there are plenty of facts available to put your plan at the top of the budget.