"Any prudent organization would critically analyze any request that involves cost. Costs related to information security are no exception"
Maximizing The Cost Efficiency For Information Security
There is always a hype and perception when it comes to costs related to information security. In fact, whenever we talk about costs irrespective of whether it is for purchasing equipment or factory or premises, or for increasing manpower, there is always a debate by the Top Management on whether it is justifiable and whether it is cost-effective. Any prudent organization would critically analyze any request that involves cost. Costs related to information security are no exceptions.
Once we understand and appreciate this basic concept, half the job is done. We need to ‘present’ any spend related to information security as a business requirement. Most CISOs tend to fall in love with their project and over-hype the risks to get a favorable buy-in by the management. Such steps tend to be counter-productive not only for such projects, but even for critical future projects. We may also lose our credibility in the eyes of the Management.
First, we need to understand the business, critically satisfy ourselves that the InfoSec initiative proposed by us is really necesary to mitigate a critical business risk. Next comes the cost. All efforts must be made to scout the market for vendors offering solutions that are best-fitted for the business and seek competitive quotes. In fact, getting sanctions for any cost-spend – be it IT or non-IT, is a great challenge. It is a wrong notion that non-IT spends are easily sanctioned. The only difference is that for non-IT initiatives, the management finds it more easy to understand and appreciate the need to incur that cost. It does not necessarily mean that they are easily approved. In the case of IT or InfoSec, there is always this grey area and the feeling amongst some of the members that it may be hyped and may not be really required. It is our duty to explain the project in business-language. We need to take a practical view and clearly indicate the emerging threats with business impact. In case we ourselves are not fully convinced and are only making the management aware of the risks, we need to say so. We can frankly mention that due to the high cost, it may be prudent to live with the risk/ accept the risk.
We should let the Management decide on whether to incur the cost and address the risk. It is possible that due to the prevailing business-situation that we are not aware, the management decides to postpone the project and accept the risk. It is wrong to conjecture that business is not interested when it comes to costs related to information security. I have come across several good business initiatives (non-InfoSec) that gets rejected because they were not adequately/ convincingly portrayed.