Business focus helps sell IT security spending

IT managers should focus on issues such as business risk, customer impact, regulatory requirements and due diligence when demonstrating the value of IT security investments to C-level executives. And according to several IT managers at The Security Standard conference being held in Boston this week, it's important to communicate those issues in a way that avoids technology jargon and unnecessary sensationalism.

"What we need from a CSO are facts, objectivity and some real clear recommendations" to demonstrate achievable returns on security investments, said Lawrence Kinsella, chief financial officer at BT Global Financial Services in New York. "What we are not looking for is 'the sky-is-falling' FUD."

Kinsella, who took part in a panel discussion at the conference yesterday, added that security managers sometimes have little reliable data available to show that the investments they are making will truly mitigate future risks. And while it is not always necessary to deliver traditional ROI estimates, a security manager should clearly articulate business and customer risks.

"If it is not well planned, if you are not thinking a few moves down the chess board, I don't want to hear it," Kinsella said.

The issue is important because companies are increasingly moving away from traditional reactionary security models to more preemptive ones, said Scott Blake, chief information security officer at Boston-based Liberty Mutual Insurance Group. As a result, there is a greater need for security managers to understand and clearly articulate the value of security investments in a way business executives can understand, he said.

The key is to "keep it real and get something that resonates with the executive body," said John Schramm, senior vice president of enterprise information security at Cincinnati-based Fidelity Investments.