Ms. Agarwal knows that she will need to justify security spending with solid business justifications and demonstrable business value. The need is for a business approach to information security.
How does Ms. Agarwal do that? Investments in information  technology security investments require both "buy in from top", the executive management and "buy-in from below", that is, support from business decision-makers and users -- for maximum business benefit. But who are the most effective advocates at getting support necessary for successful IT investments and deployments? It is very important to understand that eventually it is the enterprise asset at stake, not the information technology security assets. The executive management will need to make the decisions and the facts and figures based on which such decisions are going to be made, should be presented as a strong business case.

There could be many possible ways to approach this. Ms. Agarwal may start by identifying the primary drivers for implementing security controls in the organization. For example, is it just a particular regulation that mandates a security control? Or, is it due to new business requirements resulting in integration of new systems, as we noted in the example above. Developing a roadmap to an effective information security strategy could help derive business value. The strategy could start with defining management expectations for example, security sponsorship, risk tolerance, level of required investments etc. An initial plan to implement a security program could then be set up which is linked with business strategy driven governance.

For example, if customers would make online payments through the website and if this function is going to be outsourced to third parties, this means that the third parties will have access to customer’s confidential information. Customers are hesitant to do business with organizations that are seen as not secure.
The plan should clearly establish the required level of investments, the resources and skill that would be required, how relevant security policies and standards are going to be developed, how assets and resources are going to be protected, what user trainings will be required and so on. The risk of not having a strategic roadmap to address the information security requirements should be expressed in monetary terms as much as possible. Inadequately protected information assets are most likely to have an impact on organizations profitability, which is a concern for the senior management. Remember, even your business partners have their own needs and demands.  They are expected to meet certain level of service and require seamless integration with the business.  They are expected to respect the organization’s customers and employee confidentiality, integrity and expect the same from your organization. A sustainable and ongoing risk management program to monitor risk in a dynamic business environment is therefore very necessary.

Senior management expects their information security teams to provide appropriate asset protection at minimum cost and at the same time, maintain compliance with applicable laws and regulations. CISO’s and IT managers will need to articulate the business value effectively to the management and in a way, which is clearly understood. Understanding of business environment in which the organization operates is therefore very critical for CISO’s and IT managers. Ms. Agarwal is now convinced that presenting a case to CEO which notes that automated and controlled data interfaces with third parties will result in X amount of saving of staff cost over a period of time, as opposed to implementing a perhaps cheaper manual and reconciliation dependent process, has a better chance of success !

The author is Director - Enterprise Risk Services with Deloitte Haskins & Sells. Views expressed in this article are his own.