|What to Say to the C-Level, get your security project funded today!

"Information Security is a Tax."

The response to our information security proposal from a C-Level exec within a $20B in assets bank.

In near every business, adding costs to information systems will be seen by the people running the business as a cost first, benefit second. Remarkably, this still holds true despite a constant pulse of security events hitting the C-Level desks. So, as security professionals, let's develop an understanding of the C-Suite and the C-Levels as to their priorities.

C-Level priorities fall into the following categories:

  • Growth — Are our products being adopted by more customers?
  • Costs — Are we on track to spend less than we make? 
  • Profits — Are we on track to hit our numbers so we can announce a good quarter? 

A business case would add customers buying your products, drive costs down, or influence other balance sheet/P&L mechanics to improve the quarter/year. Does the security project that you are proposing influence any of these three items? In my experience, security professionals rarely address these items when pitching a project. Let's explore further how to sell your security project to the C-Level.

It is extremely difficult to develop a business case involving growth for any security project. On the revenue side, customers will assume that you are doing all of the right things. Perhaps make a tacit investigation as to your internal audits, and then they will leave you alone. Attempting to pass the additional costs of your security projects on to the customers are, in all but the rarest cases, impossible. So we have costs and accounting mechanics left to consider.

Does your security project reduce cost? Be certain to explore the costs of maintenance, acquisition, internal support, and life expectancy (longer?) when reviewing the costs associated with the project. Has the company grown? Perhaps the costs of your project per person will be less than in the past? Is there a change in financing costs? Demand from your proposed vendor an ROI analysis (Return On Investment). Most vendors have a toolkit full of proposals to assist you, but beware; you need to make their information your information.* Keep asking the questions until you find a cost saving, this will be very important as you put your proposal's presentation together.

In larger organizations, the finance people will be involved early-on to assure that the method of finance will fit within the company's planning. If you are leasing, the length of the lease, interest rate or the anticipated life expectancy of the capital equipment (firewall, IDS, etc.) may provide a financial improvement that can be used to present your project. Work with your financial people to put this case together.

In near all cases, however, the savings will not cover the cost of the project. You need to realize that you are asking management to raise taxes. This is the framework from within which you are working. Once you understand the framework, negotiating the funding becomes easier. Admittedly, it is easier to sell a security project to a funding committee in the post-TJX era. However, spending money securing information systems is still modeled inside corporations as a value-neutral, though risk-mitigating, expense. No brand enhancement, no new customers, just the cost of continuing to do business with less risk. With the exception of the CSO (if you have a CSO) this is the thinking of anyone in your company that has a title starting with a "C".

As a security executive positioning how you might get your projects funded, you have most likely been told 'perhaps next quarter' if you have taken any of the following self-defeating approaches.

What Not to Do

"If we do not upgrade our firewalls we will be susceptible to the following events that will…" Technical people often make this mistake. Leading with a negative while trying to explain the downside of the situation. We might believe that the scarier the risk, the easier the sell. Though counter-intuitive, the people who are responsible for running your business are confronted with risks every day. What they will look for in your proposal is the "business case," not just the risk that will drive spending. Rereading the above quote, you can see how blackmail might be implied. No matter how true the information might be, business people will react negatively to requests positioned as threats.

For those executives that have children old enough to argue for themselves, this is going to sound to them like negotiating with a ten-year-old and their allowance expectations. Using guilt with the C-Levels is counter-productive on many levels. Using guilt as a driver in your proposal will be seen by the C-Levels as the lack of maturity on your part.

What to Do

Every funding request needs to start at the beginning. Here is an outline that can guide your success with the C-Levels.

Page 1 - Introduction to the Project
Page 1 should have no more than 5 bullets.

Page 2 - Business Case
5-7 bullets detailing capital, expense, P&L adjustments, BS adjustments, and Budget impact

Page 3 SHORT Presentation of the solution.
A few bullets that present the vendor of Choice and the necessary features of the product that meet the companies requirements.

Page 4 - Business Impact
Set expectations as to the user experience, time-frame, roll-out and overall impact to the organization.

Page 5 - Close Strong!
Business Case Summary that Captures your business case and the Risk you are mitigating.

Many times as we travel through life we find that it is not what is presented, but how it is presented that will guide the outcome. Remarkably, I learned these lessons as a much younger Security Entrepreneur while selling to large financial institutions. If you have read this far you may also be interested in the presentation deck with more detail, send me a note and I will forward my material to you. Another good source for more generic information on presentations is from Guy Kawasaki and his excellent note: 'The only ten slides for your pitch'. http://buff.ly/1M6wAJS

Please post your thoughts and your experiences in the C-Suite!

*The C-Level is very good at spotting a presentation that was developed by a vendor, make certain that all of the vendor's DNA is scrubbed off of the ROI information you may be using.

Ready to put your project online? Create a Space today!
Learn More


To add a comment, please login or register.


Using a Lenovo P51 Laptop with an Airplane Power Supply
The Lenovo P51 Laptop comes with a huge 170 watt Power Supply. However, airplane power supplies provide a maximum of somewhere between 75-100 watts. If you plugin a power supply requiring more watts, the circuit breaker will short out and the power will stop flowing.
C-Level Security: When your team uses military analogies, are they using the wrong narrative?
For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the Network Security business. Bastions, Firewalls, Moats, Drawbridges, Countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.
Turning Atlassian JIRA into a CRM
Here at Member.buzz, we use Atlassian JIRA to track our features, bugs, and incoming requests from users through our Support Site. So when it came to choosing a CRM, we wanted to find one that integrated nicely with the rest of our infrastructure.Our first thought was to try out some of the existing JIRA CRM plugins. Here are the ones we tried out:CRM for JIRAAtlas CRMKanoah CRMAlthough there were definitely some interesting features among these options, there was nothing substantial enough to make us want to choose a specific one. We wanted something simple, yet well-integrated into what we already had
Setup Point-to-Site VPN with Ubiquiti EdgeRouter
Learn how to setup a VPN with your Ubiquiti EdgeRouter.