The IT security industry is broken right now. Every threat intelligence publication proves that mid-market organizations are targeted by hackers more often than large enterprises. Can you blame the hackers? They’re criminals, and they’re unethical, but they’re not stupid.
In fact, they have evolved into strategic cybercriminals, and more importantly, they’re opportunists. Every day we hear about a new breach or a new form of malware that never existed before.
So how and why are cybercriminals so successful? Mid-market organizations don’t have the resources to defend themselves and turn into sitting ducks. Hackers know this.
The purpose of this post is to arm my fellow, lean-and-mean-security-teams, with a strategy that will help them convince their management team to invest in security. To have a better chance to defend against cyber-attacks, security needs to be prioritized as an ongoing discipline – one that is carried out by every member of the organization.
To influence your management team to invest in IT security, you must ensure they understand the main problem, communicate the problem using business metrics, offer a viable solution, and most importantly, stay persistent to sell the value of a security investment. Communication and persistence is more than half the battle. By using specific business metrics to support your request, you will be in the best position possible to get more investment from your team.
Tip #1 – Ensure Your Team Understands the Real Problem
Does your management team understand what the real problem is? Business managers use two main metrics for most decisions – time and money. Let’s say IBM or HP for whatever reason decided to take a philanthropic approach to business, and made all their IT security tools and products for free. Wouldn’t that be great?!
But wait. Who at your organization can leverage those tools? They not only need the correct experience and skillset, they would need to take time off from work to get training on those tools.
Time, resources, and money remains the biggest challenges of all. IT security talent is expensive to develop, and it’s also a non-revenue generating type of role, which makes it even more challenging for SMBs and SMEs. On top of that, we unfortunately do not live in world where IBM and HP hand out free technology – the tools are equally as expensive as the talent. Keep in mind it also takes several years for your team and technology to jive, and we haven’t even discussed talent wars or turnover.
Therefore, it doesn’t make much sense to keep asking your management team for the newest tool or a new hire. You must speak in business terms, and they must be measurable by time and money.
Tip #2 – Speak Their Language
Since business managers are so focused on time and money, we must communicate with them using the same measurable language. After working with hundreds of CISOs and security analysts who have gone down this path and won, the most successful metric I’ve seen used to date is a TCO analysis (Total or True Cost of Ownership Analysis). Why? It speaks to the two metrics that business managers use as their primary lens – time and money.
Let’s say over five years, you want to build a solid security posture. You will need several tools, and at least a team of two-to-five analysts led by a senior member like a CISO. For argument’s sake, we used some conservative numbers, and made some conservative assumptions. By spelling out exactly when and how much each item will cost, you can prove to your team that you should be working together to find a more feasible solution. This will also prove that you are thinking about the organization and, not just your individual role or department.
By speaking their language, it tells your team that you’ve covered all the angles, and that you understand the importance of a business case. Managers love that kind of strategy.
TCO over 5 years
|CISO earns $100,00/year|
|Analysts earns $70,000/year|
|Products have a 20% YoY renewal rate|
|1||End-point/Asset Discovery||$20,000||CISO||$100,000||per year|
|2||IDS/IPS||$24,000||Analyst #1||$170,000||per year|
|3||Vulnerability Assessment||$32,000||Analyst #2||$240,000||per year|
|4||Behavioral Monitoring||$82,000||Analyst #3||$310,000||per year|
|5||SIEM||$132,000||Analyst #4||$380,000||per year|
|TCO over 5 years||$1,490,000|
Tip #3 Offer Solutions and Remain Persistent
This TCO analysis is powerful because it’s a black and white representation. There is not much room for interpretation. Ultimately, cyber security is becoming more and more of a classic, “in-house vs. outsourcing,” type of discussion.
The TCO analysis helps bring to light how challenging it is to tackle IT security in-house, and it helps transition the conversation into a search for a solution. Odds are, this conversation will not be accomplished in one shot. It will require a healthy dose of persistence to ensure the education is being absorbed. Mid-market organizations will waste a ton of time and money trying to create a long-term, scalable, and affordable in-house solution for cyber security. As security professionals who are on the front lines, it is our duty to ensure our team members understand these factors, and make educated decisions that will benefit the team.