I recently saw an issue of The Economist that had a pixelated nuclear explosion engulfing a city on the cover. The caption simply said “Cyberwar: The threat from the internet.” That’s a little dramatic in my opinion. But it’s nothing new. Those of us working in cyber security are often guilty of using gloom and doom to get executives to understand the importance of information security
The reason security is such a tough sell is simply because there is no return on investment. Businesses don’t make more money by investing in information security, they only lose money. This is not an attractive prospect for anyone. Our brains just aren’t wired to get excited about loss prevention. Of course, by not investing in information security, it can cost them much, much more. So, naturally, the security engineer’s sales pitch gravitates towards striking fear into the potential client.
Before arriving at a meeting with the company executive an information security salesman may come packed with an arsenal of horror stories about security breaches. Client credit cards stolen and auctioned off to the highest bidder. Company secrets exposed on the web. Up and coming businesses struck down in their prime because of one security slip up. These are common tactics. The negatives are emphasized so much that those who work in information security have earned reputations as fear-mongers.
But is pushing the negative extremes on potential clients the best way to sell information security? I don’t think so. While it is true people respond to fear, they also respond to clear, level-headed and reasonable arguments regarding their security posture.
Compliance – While it should never be the goal, compliance is a good starting point for information security. Regulations from straight from Uncle Sam require a certain level of security to be met whether the company thinks it’s a worthwhile investment or not. Here, the fear isn’t about security breaches, but an audit.
Business Impact – It’s important that a security engineer be clear when describing threats, risks, and their mitigation’s. Specificity is also key. Companies need to see how a security breach could affect their business, and not so much how it affected another company. They need to understand the likelihood, the impact, and the cost to address the issue.
Project Bundles – Since there is no ROI on information security alone, you can give it one by packaging it with other projects. For example, executives can ask for security to be included when modifying an existing product or service or developing a new one.
Are executives prioritizing information security and risk management? There’s an interesting survey that asked this question to 1,084 security pros – and the answer might surprise you. You can view the 2011 Strategic Security Survey right here.