Chalk IT up: Boardroom communication
Chalk IT up: Boardroom communication

Speak in business terms and convey risk when attempting to gain funding for implementations from management, reports Stephen Lawton.

It is one thing to present a comprehensive data security plan after a breach is identified and the barbarians are at the gates calling for the neck of the chief information officer (CIO). It is quite another to build in data security before the worst scenario occurs. 

The pressing challenge for today's IT and information professional is to prepare a proposal for senior management and the board of directors that garners their approval and funding before the Securities and Exchange Commission, Department of Justice or regulators are pounding on the door.

For the CIO, simply telling the board that cyber threats are growing and potential lawsuits could be oppresive is far from a compelling argument, says Richard Bejtlich, chief security officer of Mandiant, an Alexandria, Va.-based threat detection and response company. Instead, he says, it is necessary for funding requests to be put in business terms that address corporate risk, compliance and similar operational fundamentals.

Companies today face a conflict of confidence if they publicly acknowledge a data breach, yet virtually every one has had some level of compromise to their network, whether they know it or not, says Bejtlich, who runs Tao Security, a data security consultancy. Noting that even organizations that are seemingly savvy about protecting data have been breached, including federal agencies and companies in the security industry, he says such compromises are still considered to be a “negative event” in the eyes of corporate executives. “It's still ‘blame the victim,'” Bejtlich says.

There are two occasions that will generate a request for data security funding from the chief executive officer or board, he says. A breach certainly will generate an investigation into security practices and, perhaps, a request for greater budget. But, a pre-breach analysis of the existing risk profile and potential vulnerabilities, could generate a successful request for further funding.