The Business Case for Information Security

1
The Business Case for Information Security
Phil Hillhouse VP Americas Services
2
Whats the Business Case?
Information Security Business Case Framework
Executive Drivers
Prudent Measures
Collaborative Business Case
3
Executive Drivers for Information
SecurityNon-technical. May or may not require
hard economic justification
4
Information Security RealityMore than just
one-time events
Quantify Visible Cost of Events
Quantify Hidden Cost of Events
5
Whats the Process?Big 7 Executive Concerns for
Information Security
6
Prudent MeasuresInvestment vs. Effectiveness for
Selected Clients
Perfect Security
Totally Vulnerable
Prudent Zone
Security Investment
Hospitality Company 54
Manufacturer 34
Printing Company 24
Regional Bank 61
Medical Center 49
0
50
5
25
75
95
Security Effectiveness
7
Framework for Projected Financial Value
8
Correlation of Business Cases
Security Investment
Security Effectiveness
Return on Investment
Incremental Revenue Opportunity
Reduced Annual Loss Expectancy
Hard Cost Savings
Productivity Improvement
Decreasing Variability
9
What are the Investment Options?Consider
Increasing Layers of Information Security
Basic Asset Protection
Perimeter Protection
Advanced Asset Protection
Enterprise Protection
10
Pulling these concepts together
Security Investment
Balance Investment vs. Effectiveness
Security Effectiveness
Financial Investment
Incremental Revenue Opportunity
Reduced Annual Loss Expectancy
Hard Cost Savings
Productivity Improvement
Financial Value
11
Collaborative Business Case tool
Financial Summary
Customer Environment
Value Drivers
Product Solution
General

• Cost Reduction
• Obtain Soft Cost Savings (Reduced Annual Loss
  Expectancy)
• Realize Hard Cost Savings (IT Infrastructure
  Efficiencies)
• Productivity Improvement
• Increase end user productivity (Anti-Spam,
  Content Filtering)
• Better utilize Security/IT personnel (Patch
  Management)
• Incremental Revenue Opportunity
• Enable projects otherwise avoided due to security
  concerns

12
What are the Next Steps?Depends on the status quo
Business Case
Do what youre doing more cost effectively.
OK
Benchmark
Business Case
Not OK (or not sure)
Do a full assessment. Outline the
options. Establish a plan.
13
Business Case DeliverableTwo halves to the
business case Narrative and Financial

• NARRATIVE
• Executive level drivers
• Subjective benefits
• Hard-to-quantify benefits
• Soft benefits

• FINANCIAL (VALUE)
• Quantify wherever possible
• Cost reduction
• Hard cost savings
• Reduced annual loss expectancy
• Productivity improvement
• End users
• IT/Security staff
• Incremental revenue opportunity
• FINANCIAL (INVESTMENT)
• Up front costs
• Products Services
• Recurring costs
• Subscriptions Maintenance
• Internal deployment costs

14
For more information on the business case
methodologywww.iss.net/businesscase/