(Originally posted on LinkedIn on September 2nd 2014)
Return on Investment. Words that typically bring dread to the heart of any information security professional. Some have even gone so far as to advocate that it is a useless term in our industry given the nature of the threat environment with which we constantly live. If you look back at my last post entitle “You get nothing! You lose! Good day, Sir!” you will see a conversation that revolves around on how CISOs are viewed as out of touch by their C-Level peers.
This post sparked a call from a friend of mine who is the CEO of a small to mid sized company. He wanted to know my opinion on a proposal that he had been given by his CISO. My friend was having a hard time determining if it was actually worth spending the money - in other words his CISO didn’t clearly communicate the strategic value of the investment. The technology in question was one of those data aggregators who provide you information on the attacks and hacks that are happening across the internet (I don’t want to plug the company in question.)
Now I gave him my answer but I’d be interested in hearing how others out there justify their information security spend on items such as this to their senior and executive management. How are those conversations going? While I’m interested in how you’d justify this specific spend, I’m also interested in how you make the case for other similar types of asks that don’t specifically and directly tie back to the business.
Now if you work for one of the companies providing this service - please refrain from responding. I know how you want us to sell it and I didn't pose the question to be a platform for your sales pitch. I’m more interested in hearing from the guys in the trenches and boardrooms who are actually making the pitch after the vendor leaves the room.