Sunday, August 26, 2012

Information Security screw-up #3 - it's all about financial sense

Many of us as an Information Security Professionals would love to have the best of the breed security technologies in place. And, most of us are paranoid and want things to be as secure as possible. However, that's not how the real world works. Not in enterprise environment at least. And the current state of world economic is not helping as well, and adding insult to injury.

This story is about the same "young" Information Security lad....

Mr. Global CISO:  Ok, team. Now it is again the time for us to propose our budget for next year. I expect each of you to prepare a budget proposal for your region and come back to me by end of this week. Then we shall discuss. What you want to do with your region, I'll leave it to you, as long as it makes sense.

Young Information Security lad: No worry sir. You'll get it by the end of the week.

Right after the meeting, the "young" information security lad open his laptop and starts to list down all the potential information security projects. After giving some thought, he decided to give the "laptop encryption" project the highest priority.

Mr. Global CISO: So, what do you have for me?

Young Information Security lad:  Mr. Global CISO, here are the projects that I have in mind for my region. I would like to highlight to you this particular project - laptop encryption...

Mr. Global CISO: That's sound interesting. Looking at your proposal, you proposed to have all the laptops - that would be around 50,000 laptops in your region, as it would cost 200EUR for each laptop, that would be1 mil. EUR in total. Now, imagine I'm the CEO. Try convince me why should I give you this 1 mil. EUR?

Young Information Security lad: Mr. CEO sir, as you may already know, almost all employees have been given a laptop for the purpose of working and these laptops contain valuable information. In the event of a laptop been stolen, we wouldn't want the information within to be visible and accessible to other people. Laptop encryption would ensure that our company data is safe from unauthorized eye.

Mr. Global CISO: Interesting. But what your are asking is a lot. I don't have 1 mil. to spend. Furthermore, if I understand correctly, that would mean installing another piece of software on existing laptops. That would make the laptop even more slower than it already is. Users are already complaining that their laptop are really slow and really getting under their skin.

Young Information Security lad: But Mr. CEO, we must protect our company data.... without encryption, our data could fall into a wrong hand such as our competitor. It's a trade off that we have to accept in order to ensure security.

Mr. Global CISO: I see your point, but 1 mil. EUR is too much. You have to come back with a better proposal.

Young Information Security lad: But sir.....

Mr. Global CISO: So, the CEO just brushed off your proposal. What do you think? What would be your next step?

Young Information Security lad: I don't know what to say. Company data is crucial. It could cost us more than that if they were stolen... What I can do is try to get a better discount from the supplier...

Mr. Global CISO: Here is my feedback. You did quite good in term of selling the reason to him. But you failed to see the big picture from his perspective or try to put yourself in his shoe. His main concern was financial. He did not see it as a worthy investment. Now, how could you make this a worthy investment? Ask yourself, do you really need to encrypt all laptops? All 50,000? Perhaps you should first focus on the laptops  that contain very sensitive data, such as those of country's CEO, CFO, CIO, sales and marketing etc. I bet the total would not be more than 100. That would reduce your cost down to 20K EUR. I believe the CEO would support you if you were to submit this amount as your revised proposal. To be honest, I would not even approve your proposal myself. But I did this "simulation" so that you could learn to see thing more from a business's perspective. It's all about managing the risks. Asset or information needs to be protected, but it has to make financial sense.

Young Information Security lad: Thank your sir. I have learned a good lesson today. <* glad I have him as a boss. Not many boss can really teach and guide you. Most of the time.. they just bossing around... *>

Moral of the story?
1. If it does not make a financial sense to invest in a certain security technology, then it does not make sense to have one. If you still think that it is a must have thing, then try to sell it from difference perspective that would make a financial sense. 

Ain't security fun? ;)

acknowledgement: photo taken from  

No comments:

Post a Comment