In the perennial corporate tug-of-war over budget, some information security executives are relying on independent security assessments to influence their C-level officers, board members and other financial decision-makers to increase funding for cybersecurity and compliance initiatives.
Among them is Cory Deeter, director of security and compliance at Finish Line. A speaker today at SC Congress Toronto, Deeter recounted his arrival at the Indianapolis-based shoe retailer in April 2014, only to determine that a major cybersecurity investment was necessary in order to achieve a defendable security posture. Deeter contracted PricewaterhouseCoopers as a third-party security auditor in hopes that the findings would not only substantiate his assessment but also convince his superiors to prioritize cybersecurity when allocating budget.
“Unfortunately, money is often times in short supply, and we as IT practitioners struggle somewhat in communicating to executive leadership in the finance area exactly why we need what we need,” said Deeter at the conference.
Deeter, who has previous experience as an IT systems auditor, believes that Finish Line's assessment was successful due to the implementation of several key strategies that he shared with SC Congress attendees. Among his recommendations:
Completing this assessment allowed Finish Line to create a long-term IT plan that properly balanced out financial limitations with imminent security needs. “We built out a three-year strategic plan and we socialized that with the board [of directors] and got everyone one the same page,” said Deeter.