"Information Security is a Tax."
The response to our information security proposal from a C-Level exec within a $20B in assets bank.
In near every business adding costs to Information Systems will be seen, by the people running the business, as a cost first, benefit second. Remarkably this still holds true despite a constant pulse of security events hitting the C-Level desks. So let's, as security professionals, develop an understanding of the C-Suite and the C-Levels as to their priorities.
C-Level priorities fall into the following categories;
A business case, in the simplest terms would: add customers buying your products, drive costs down, or influence other Balance Sheet / P&L mechanics to make the quarter/year better. Does the Security Project that you are proposing influence any of these 3 items? In my experience, Security Professionals rarely address these items when pitching a project…... So, let's explore further how to Sell your Security Project to the C-Level.
It is extremely difficult to develop a business case involving Growth for any Security Project. On the revenue side, Customers will assume that you are doing all of the right things, perhaps make a tacit investigation as to your internal audits and then they will leave you alone. Attempting to pass the additional costs of your security projects on to the customer are in all but the rarest cases impossible. So we have Costs and Accounting Mechanics left to consider.
Does your security project reduce cost? Be certain to explore the costs of maintenance, acquisition, internal support and life expectancy (longer?) when reviewing the costs associated with the project. Has the company grown? Perhaps the costs of your project per person will be less than in the past? Is there a change in financing costs? Demand from your proposed vendor an ROI analysis( Return On Investment). Most vendors have a toolkit full of proposals to assist you but beware, you need to make their information your information.* Keep asking the questions until you find a cost saving, this will be very important as you put your proposal's presentation together.
In larger organizations, the finance people will be involved early-on to assure that the method of finance will fit within the company's planning. If you are leasing, the length of the lease, interest rate or the anticipated life expectancy of the capital equipment (Firewall, IDS, etc.) may provide a financial improvement that can be used to present your project. Work with you financial people to put this case together.
In near all cases, however, the savings will not cover the cost of the project and you need to realize that you are asking management to raise taxes. This is the framework from within which you are working. Once you understand the framework, negotiating the funding becomes easier. Admittedly it is easier to sell a security project to a funding committee in the post-TJX era, however, spending money securing information systems is still modeled inside corporations as a value-neutral, though risk-mitigating-expense. No brand enhancement, no new customers, just the cost of continuing to do business with less risk. With the exception of the CSO (if you have a CSO) this is the thinking of anyone in your company that has a title starting with a "C".
As a security executive positioning how you might get your projects funded, you have most likely been told 'perhaps next quarter' if you have taken any of the following self-defeating approaches.
What Not to Do
"If we do not upgrade our firewalls we will be susceptible to the following events that will…" Technical people often make this mistake. Leading with a negative while trying to explain the downside of the situation. We might believe that the scarier the risk the easier the sell, though counter-intuitive, the people who are responsible for running your business are confronted with risks every day. What they will look for in your proposal is the "business case" not just the risk that will drive spending. Rereading the above quote you can see how blackmail might be implied. No matter how true the information might be, business people will react negatively to requests positioned as threats.
For those executives that have children old enough to argue for themselves, this is going to sound to them like negotiating with a ten-year-old and their allowance expectations. Using guilt with the C-Levels is counter-productive on many levels. Using guilt as a driver in your proposal will be seen by the C-Levels as the lack of maturity on your part.
What to Do
Every funding request needs to start at the beginning. Here is an outline that can guide your success with the C-Levels.
Page 1 - Introduction to the Project
Page 1 should have no more than 5 bullets.
Page 2 - Business Case
5-7 bullets detailing Capital, Expense, P&L adjustments, BS adjustments, and Budget impact
Page 3 SHORT Presentation of the solution.
A few bullets that present the vendor of Choice and the necessary features of the product that meet the companies requirements.
Page 4 - Business Impact
Set expectations as to the user experience, time-frame, roll-out and overall impact to the organization.
Page 5 - Close Strong!
Business Case Summary that Captures your business case and the Risk you are mitigating.
Many times as we travel through life we find that it is not what is presented, but how it is presented that will guide the outcome. Remarkably, I learned these lessons as a much younger Security Entrepreneur while selling to large financial institutions. If you have read this far you may also be interested in the presentation deck with more detail, send me a note and I will forward my material to you. Another good source for more generic information on presentations is from Guy Kawasaki and his excellent note: 'The only ten slides for your pitch'. http://buff.ly/1M6wAJS
Please post your thoughts and your experiences in the C-Suite!
*The C-Level is very good at spotting a presentation that was developed by a vendor, make certain that all of the vendor's DNA is scrubbed off of the ROI information you may be using.