Creative accounting can help land funds for IT security - ironically, compliance budgets may offer the best cover
IT managers looking to prise budget from the board for security projects should avoid confusing executives by accentuating clear business objectives rather than technology goals, say experts, who also suggested masking security upgrades under the cloak of compliance proposals.
Speaking at last week's Infosec show in London, Rorie Devine, information security director at online gambling company Betfair.com, said funding is more likely to be approved if the board is given more than one quantitative risk assessment, calculated in terms of the potential financial loss versus the probability of it happening.
"If you tell them there is 40 percent chance of being hit by virus attack next week, explain where that risk comes from. [The] scare [tactic] has had its day - don’t say virus attacks will quadruple in next week according to Symantec, and avoid quoting the Gartner Magic Quadrant; it is has been done to death," He said.
Ewen Melling, former IT Director with investment company ISIS asset management, stressed the need to show clear return on investment (ROI) proposals and think through the specific impact of security breaches on the IT department and the organisation as a whole. "This is a business case, not a technology showcase. Use language they understand and propose something consistent and appropriate to your security needs. Don’t over-engineer or make it too elaborate." He said.
"There's no point going to the board and asking for £100m if there are only six of you. Decide what it is you have to protect and make sure you have a starting point for how much money you have to spend," added Devine.
IT managers looking to prise budget from the board for security projects should avoid confusing executives by accentuating clear business objectives rather than technology goals, say experts, who also suggested masking security upgrades under the cloak of compliance proposals.
Speaking at last week's Infosec show in London, Rorie Devine, information security director at online gambling company Betfair.com, said funding is more likely to be approved if the board is given more than one quantitative risk assessment, calculated in terms of the potential financial loss versus the probability of it happening.
"If you tell them there is 40 percent chance of being hit by virus attack next week, explain where that risk comes from. [The] scare [tactic] has had its day - don’t say virus attacks will quadruple in next week according to Symantec, and avoid quoting the Gartner Magic Quadrant; it is has been done to death," He said.
Ewen Melling, former IT Director with investment company ISIS asset management, stressed the need to show clear return on investment (ROI) proposals and think through the specific impact of security breaches on the IT department and the organisation as a whole. "This is a business case, not a technology showcase. Use language they understand and propose something consistent and appropriate to your security needs. Don’t over-engineer or make it too elaborate." He said.
"There's no point going to the board and asking for £100m if there are only six of you. Decide what it is you have to protect and make sure you have a starting point for how much money you have to spend," added Devine.
0 comments:
Post a Comment Subscribe to Post Comments (Atom)