The two most common complaints that security managers relate are: 1. They don't have senior management support, and 2. it's tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program's benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the e-mail gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.
Information security managers often convince themselves that they can't do any better than they are already doing to gain senior management support and thus obtain the funding they need. But their thinking is clouded by five key myths:
Myth No. 1: Executives only care about their own firm's security. Security managers who have been successful in getting buy-in and support from senior management emphasize the importance of benchmarking the organization against others in the same industry or of similar size. The benchmarks don't have to be a 100 percent quantitative. In fact, most managers like to see the quantitative benchmarks augmented by analysis from security experts. These measurements provide good directional information on the industry trends and a good idea of where the company stands in the industry.
Myth No. 2: Stories and anecdotes waste executives' time. This myth cannot be farther from the truth. Most security managers report that their executives are very responsive to war stories and anecdotes about other companies. Security managers can use them to emphasize a concern or communicate a key risk. Instead of explaining the benefits of encryption, it is much more powerful to refer to a story of a company (preferably from the same industry) that did not have encryption. Examples might include a corporate device that was sold on eBay with all of the confidential information in it or a newspaper that missed a publication because its main news server had a virus - the objective being to emphasize a point about spending the resources on antivirus solutions.
Myth No. 3: Executives always want to see numeric evidence. Some security managers only want to give numeric evidence to top executives, but they should not be afraid of also providing qualitative metrics and assessments. Most senior executives rely on their security staff's expertise to protect the corporate assets and therefore trust their judgment. As long as there is some justification for their qualitative assessments - an opinion, for example, on the degree of risk a firm faces - senior management will not object to receiving them. In fact, it may be a good idea to have an executive summary in all reports to senior management with the opinion of the security manager on the status of the firm's security.
Myth No. 4: Executives hate auditors. Auditors generally mean additional work for the organization and endless hours of detailed review documentation. But security auditors are different. Not only do they review the organization's security controls with a fine-tooth comb, which is desirable in this case, but they also provide an independent assessment of the security posture. They can be a great source of information for executives to do informal benchmarking. As one interviewee noted: "Independent assessments are important, not only for security managers to prove their credibility, but also for senior executives to verify that the organization is on the right track and that management has not overlooked any major risks".
Myth No. 5: Executives always want ROI. In reality, very few senior executives actually ask for the return on investment on security spending. It is incumbent upon security managers to educate their management and help them understand that security investments don't always have a return on investment. It is more important to executives to track and report the impact of security products and service on day-to-day business. As a security executive in a government agency observed: "In cyber security, regardless of the return on investment, for certain things, the cost of failure is so high that you have to do them. Therefore, I do risk-benefit-cost analysis, not ROI".