The challenge in selling security

First in a four-part series on the toughest security issues affecting the enterprise.

The job title on your business card might read CSO or CISO, but that may count for less than expected in having your ideas on network security accepted by the rest of the organization.

"We have a problem in our industry that the typical CISO is not 'chief' of anything," says Jon Gossels, president of System-Experts, a Sudbury, Mass., consultancy specializing in network security. "The CISO is mainly an overpromoted technologist."

While CSOs surely aren't seen that way everywhere, they do acknowledge facing a challenge in getting their ideas accepted from the board level on down. This is despite a general recognition by organizations today that better security and risk management are needed to protect company data, and adhere to new government and industry rules.

This topic will be among those on the agenda at The Security Standard summit, an IDG Executive Forum being held Sept. 6 and 7 in Boston.

Paul Simmonds, CISO at ICI, the U.K.-based paints and specialty chemicals supplier, contends that you can win the battle at the corporate board level for investment in security projects by methodically assessing the corporate security posture and proposing improvements in financial terms.

"Return on investment and board communications have to be argued in money," Simmonds notes. "It costs us this much not to do it, this much for solution A with these risks and benefits, this much for solution B with these risks and benefits, etc."

He adds that many security managers "have no formal business training; they typically came via the IT route," and thus may not be well prepared to speak in financial terms. Or they don't find ways to measure security to have the hard numbers to make the ROI case.

Consultants suggest starting with some known ways to quantitatively measure how the organization is doing in terms of its security.

Tom Walsh, a consultant in Overland Park, Kan., recommends CISOs refer to the National Institute of Standards and Technology's (NIST) "Risk Management Guide for Information Technology Systems."

This document is also known as NIST Special Publication 800-30. It's a great framework for analyzing system characteristics in hardware, software, network equipment and mobile devices in order to determine a "risk score," Walsh says.

"Everything is risk-based or compliance-based," he says. "Risks are rated by likelihood and impact."

The purpose of this risk analysis is to inform business managers "and help them make that business decision," Walsh says. "Give them choices, costs and risks. It's a step we all tend to miss."

When there are hundreds of applications in an enterprise, the problem can be determining ownership of the system.

"Once you know what the data owners want from you, you can put together a budget," Walsh says. "Security is a business. We have to run it like a business. Unfortunately, most of us come from an IT background."

At SystemExperts, Gossels also favors standards as a basis for review. But his favorite is British Standard 7799, adopted as the international ISO standard 17799, as a baseline for defining security within the organization.