|What to Say to the C-Level, get your security project funded today!

"Information Security is a Tax."

The response to our information security proposal from a C-Level exec within a $20B in assets bank.

In near every business, adding costs to information systems will be seen by the people running the business as a cost first, benefit second. Remarkably, this still holds true despite a constant pulse of security events hitting the C-Level desks. So, as security professionals, let's develop an understanding of the C-Suite and the C-Levels as to their priorities.

C-Level priorities fall into the following categories:

  • Growth — Are our products being adopted by more customers?
  • Costs — Are we on track to spend less than we make? 
  • Profits — Are we on track to hit our numbers so we can announce a good quarter? 

A business case would add customers buying your products, drive costs down, or influence other balance sheet/P&L mechanics to improve the quarter/year. Does the security project that you are proposing influence any of these three items? In my experience, security professionals rarely address these items when pitching a project. Let's explore further how to sell your security project to the C-Level.

It is extremely difficult to develop a business case involving growth for any security project. On the revenue side, customers will assume that you are doing all of the right things. Perhaps make a tacit investigation as to your internal audits, and then they will leave you alone. Attempting to pass the additional costs of your security projects on to the customers are, in all but the rarest cases, impossible. So we have costs and accounting mechanics left to consider.

Does your security project reduce cost? Be certain to explore the costs of maintenance, acquisition, internal support, and life expectancy (longer?) when reviewing the costs associated with the project. Has the company grown? Perhaps the costs of your project per person will be less than in the past? Is there a change in financing costs? Demand from your proposed vendor an ROI analysis (Return On Investment). Most vendors have a toolkit full of proposals to assist you, but beware; you need to make their information your information.* Keep asking the questions until you find a cost saving, this will be very important as you put your proposal's presentation together.

In larger organizations, the finance people will be involved early-on to assure that the method of finance will fit within the company's planning. If you are leasing, the length of the lease, interest rate or the anticipated life expectancy of the capital equipment (firewall, IDS, etc.) may provide a financial improvement that can be used to present your project. Work with your financial people to put this case together.

In near all cases, however, the savings will not cover the cost of the project. You need to realize that you are asking management to raise taxes. This is the framework from within which you are working. Once you understand the framework, negotiating the funding becomes easier. Admittedly, it is easier to sell a security project to a funding committee in the post-TJX era. However, spending money securing information systems is still modeled inside corporations as a value-neutral, though risk-mitigating, expense. No brand enhancement, no new customers, just the cost of continuing to do business with less risk. With the exception of the CSO (if you have a CSO) this is the thinking of anyone in your company that has a title starting with a "C".

As a security executive positioning how you might get your projects funded, you have most likely been told 'perhaps next quarter' if you have taken any of the following self-defeating approaches.


What Not to Do

"If we do not upgrade our firewalls we will be susceptible to the following events that will…" Technical people often make this mistake. Leading with a negative while trying to explain the downside of the situation. We might believe that the scarier the risk, the easier the sell. Though counter-intuitive, the people who are responsible for running your business are confronted with risks every day. What they will look for in your proposal is the "business case," not just the risk that will drive spending. Rereading the above quote, you can see how blackmail might be implied. No matter how true the information might be, business people will react negatively to requests positioned as threats.

For those executives that have children old enough to argue for themselves, this is going to sound to them like negotiating with a ten-year-old and their allowance expectations. Using guilt with the C-Levels is counter-productive on many levels. Using guilt as a driver in your proposal will be seen by the C-Levels as the lack of maturity on your part.



What to Do

Every funding request needs to start at the beginning. Here is an outline that can guide your success with the C-Levels.

Page 1 - Introduction to the Project
Page 1 should have no more than 5 bullets.

Page 2 - Business Case
5-7 bullets detailing capital, expense, P&L adjustments, BS adjustments, and Budget impact

Page 3 SHORT Presentation of the solution.
A few bullets that present the vendor of Choice and the necessary features of the product that meet the companies requirements.

Page 4 - Business Impact
Set expectations as to the user experience, time-frame, roll-out and overall impact to the organization.

Page 5 - Close Strong!
Business Case Summary that Captures your business case and the Risk you are mitigating.

Many times as we travel through life we find that it is not what is presented, but how it is presented that will guide the outcome. Remarkably, I learned these lessons as a much younger Security Entrepreneur while selling to large financial institutions. If you have read this far you may also be interested in the presentation deck with more detail, send me a note and I will forward my material to you. Another good source for more generic information on presentations is from Guy Kawasaki and his excellent note: 'The only ten slides for your pitch'. http://buff.ly/1M6wAJS

Please post your thoughts and your experiences in the C-Suite!

*The C-Level is very good at spotting a presentation that was developed by a vendor, make certain that all of the vendor's DNA is scrubbed off of the ROI information you may be using.


Ready to put your project online? Create a Space today!
Learn More

Related Articles

 Marketing 

A Beginner's Guide to Search Engine Optimization


 Articles

A Guide to Customer Acquisition 

 
 Getting Started

Choosing a Domain Name

Comments

To add a comment, please login or register.

Related
C-Level Security: Bank security and the egg timer (how good management trumps technology)
The development of technology for securing information has been advancing at a pace that is truly astounding. In 20 years the security industry has evolved from Sun Micro Systems' Sunscreen and the Cisco PIX (yes I know there were a few others) to over a thousand security products of which nearly 700 are currently VC funded. All are trying to generate business from within this ever advancing market currently called Cyber Security. There are few tech markets growing at the rate of Cyber Security and as a result we are seeing investors, in a near desperate attempt to gather slivers of this market, throwing money at companies with Rube-Goldberg-inspired technology. We now have a flood of technology solutions that no one person can understand and the customers that consume this technology struggle daily with supporting and operating these systems. Many of the C-Level executives reading this may want to consider a management solution for the next expensive problem your engineering team presents to you.
Nov 13, 2018  •  4 min read
C-Level: Fan Boy, XEB
In 1999 I was extremely busy. I had just started a company, my second, in the Network Security field which was new and unknown. Sales were slow, hacking was deep, deep inside campuses like Stanford and MIT and was considered sport. I was getting traction with banks and was in SF for a meeting. I remember walking down Mission past a guitar shop and hearing this song, guitar was hitting the tonic breaking into cool background riffs, a little vocal falsetto opening then breaking into verse…..broken and then back…..WTF. Reminiscent of a Cello piece I know……..inspired….. I stopped dead in my tracks - stunned. Who are these guys!?!
Nov 13, 2018  •  3 min read
C-Level Security: When your team uses military analogies, are they using the wrong narrative?
For years, I have bristled when people would use medieval military descriptions in an attempt to convey concepts within the Network Security business. Bastions, Firewalls, Moats, Drawbridges, Countermeasures; all of these descriptions give way to a more accurate and detailed explanation of what was really taking place.
Sep 22, 2017  •  3 min read
C-Level: Is your business secure enough to survive open firewalls?
The most expensive firewall is pretty dumb. It can keep external probes from seeing what your Security Team wants to hide. In some cases, they are also configured to protect people within your company from wasting time or violating your network policies. There are no guarantees that these devices will protect your network, quite the opposite, near every network hack of note, was conducted through a firewall. The information assets that Firewalls protect are also secured in a variety of dissimilar ways so in a perfect world the Firewall is your front line of defense, information access policies are a secondary line of defense. In a very simple sense, firewalls are about noise reduction, blocking out a nearly infinite number of probes from an ever increasing number of probers. So, ponder for a minute, if you opened this electronic front door to the world what would happen? Would the damage be limited to only an increase in network noise?
Nov 13, 2018  •  4 min read