In this era of ever- tightening budgets , security can be seen by the non-indoctrinated as a target for budget reduction or elimination . Most upper management does not see security as a business-critical expense that will return dividends ; rather, it is seen as an expense with little direct return on investment. In order to gain more funding for security initiatives you have to show management that there is a return on their investment. Typically, security is not a profit-generating expenditure for companies not in the information security realm; it is considered more as a cost of doing business. How much is spent is determined by how well the need for an aggressive security program is articulated . The first step in involving management and gaining their support ”and budget resources ”is to show the business need for security.
Showing the need for a security program seems to be an easy endeavor at first, but when approaching management with security requirements, you will need some facts to back up your claims. You will also want to gear your arguments to your audience, because speaking in techno-jargon to those not in the IT field will be meaningless and dilute the point of your requests .
Using comparable companies and their recent exploits or security posture is a good place to start. Most managers understand that there is an expected level of risk they can safely assume and still fall under duly diligent industry best standards. If your business competitors understand security and have vigorous security programs, this can be the catalyst for other management to meet or beat their security posture . Granted, this is not the most impressive way to gain acceptance from management for a security program, but it can be a quick way to get your program started until a more formal plan can be put in place. This takes from the low-hanging fruit theory of attacking a problem from the easiest point, such as a person would do when trying to garner a piece of fruit from a tree. The person wouldn t necessarily go to the most difficult or highest point of the tree; rather, they would get it from the lowest accessible point. Management support can also be gained by focusing on legal requirements, prestige, industry benchmarks, or risk assessments.
The first step in determining what security policies and programs need to be put in place is through a risk assessment.