Called "Selling Infosecurity to the Board," the session was led by The Thomson Corporation's corporate security officer and VP Dennis Devlin, who is responsible for securing the proprietary data of a provider of integrated information that has offices in 50-plus countries and reportedly made $7.6 billion in revenues in 2003.
Giving pragmatic advice to attendees on what to consider when angling for budget for security purchases, he said CSOs need to find common ground with boards of directors and CXOs to gain leverage. This means addressing what keeps everyone up at night: increasing government, industry and international regulations to which companies must comply; revenue loss that hits companies in the wallet and reduces customer confidence; and a downgrading of the corporation's reputation, which is hard to quantify until something goes wrong.
By aligning your goals with those of the boss, noted Devlin, you are more likely to gain the ear of your higher-ups and get the money necessary for you to do your job. For CSOs to do this right, he added, they have to realize their roles as facilitators of fiduciary success and educators of their colleagues. In understanding this, the job of obtaining budget gets easier, because the stereotypical IT security geek can enlist business arguments to prove need and get business owners to help with business justification for IT security spend.
As the CSO role evolves, this will be one of its main traits. The problem will be one of finding knowledgeable IT professionals who are comfortable with their business acumen and can eloquently wrench money from CXOs. This CSO will be more difficult to find as more regulations pass and attacks become more complex.
In the meantime, said Devlin, security professionals in companies today must help their managers understand that security done correctly is not a business impediment – and they must achieve this by skipping the "fear, uncertainty and doubt" (FUD) argument. Protecting organizations from business interruptions and liabilities that trail IT attacks is an integral part of today's business. Allocating budget to prevent such occurrences when possible, and react to them when necessary, is the best thing money can buy.