In the perennial corporate tug-of-war over budget, some information security executives are relying on independent security assessments to influence their C-level officers, board members and other financial decision-makers to increase funding for cybersecurity and compliance initiatives.
Among them is Cory Deeter, director of security and compliance at Finish Line. A speaker today at SC Congress Toronto, Deeter recounted his arrival at the Indianapolis-based shoe retailer in April 2014, only to determine that a major cybersecurity investment was necessary in order to achieve a defendable security posture. Deeter contracted PricewaterhouseCoopers as a third-party security auditor in hopes that the findings would not only substantiate his assessment but also convince his superiors to prioritize cybersecurity when allocating budget.
“Unfortunately, money is often times in short supply, and we as IT practitioners struggle somewhat in communicating to executive leadership in the finance area exactly why we need what we need,” said Deeter at the conference.
Deeter, who has previous experience as an IT systems auditor, believes that Finish Line's assessment was successful due to the implementation of several key strategies that he shared with SC Congress attendees. Among his recommendations:
- Choose a reputable, well-respected independent auditing firm with a name your senior executives will recognize and trust.
- Don't shortchange the assessment of your company by limiting it to just the industry your business is in. For instance, Finish Line didn't just compare its security readiness with the rest of the retail industry; it also had itself compared to other verticals and best-of-breed businesses. “You have to have broad knowledge across sectors,” said Deeter. “Retail's a mess all over the place, so [looking only at retail is] not really moving the ball forward very much.”
- Involve your superiors (e.g. C-level executives, VPs, directors, etc.) in participate in, as well as refine, the security assessment process, and let them engage with the auditors even if some of their opinions might be harsh or misguided. “It made the business [side] feel like they were part of this initiative and they were part of this project,” said Deeter.
Completing this assessment allowed Finish Line to create a long-term IT plan that properly balanced out financial limitations with imminent security needs. “We built out a three-year strategic plan and we socialized that with the board [of directors] and got everyone one the same page,” said Deeter.