The famous bank robber Willie Sutton was reputed to reply to the judge, when asked why he robbed banks, "because that's where the money is."
Nowadays, when information is stolen, compromised, corrupted or destroyed, that is not done with a six-shooter. Willie always knew how to count his loot, but how do you put a price on corporate information that you must protect? From the standpoint of an information security executive, the challenge of answering the question about the worth of protecting a firm's wealth embodied in information is always a difficult one. Corporate CFOs, proud about their balance sheet accounts that detail a firm's petty cash, inventory, fixed assets and buildings to the nearest penny, will always delight in torturing a petitioner from the IT department who asks for money for something as vague as "information security."
Justifying information security spending
As corporate wealth based on information becomes more encompassing and pervasive, the issue of valuation of information risks cannot be dealt with intimidating paranoia. Based on my 30 years as a CIO of large but stingy global corporations, I have learned how to get more money for IT in ways that are not only credible but defensible as well. This involves applying the principle: "If you wish to justify it, you must be able to value it." The question is, how do you justify spending on information security in ways that are both practical as well as verifiable? How do you
Step #1: Threats to tangible assets
As the first step, you must concentrate on matters that are so obvious that everyone will instantly understand what you are talking about. Start with a discussion of threats to tangible information assets, which I define as anything that touches the shareholder financial reports as defined by "generally accepted accounting practices -- GAAP." Do you have information assets on the books that can suddenly lose their book value? This would include all matters of physical security, such as loss of computers (from whatever source), disappearance of laptops (a frequent occurrence), write-offs of software investments (that multimillion dollar "enterprise system" that will be replaced by "e-commerce" before it is fully depreciated) or the expensive customer database that you acquired during the latest merger and now is useless. Personally, I do not believe that most corporations will have much of security or risk exposures from the loss of tangible information assets. However, it is paramount that before you launch on dealing with the security risks involving "intangible assets" that your audience perceives you as a trustworthy and thoughtful fiduciary custodian. You must be seen in the same colorless hue as the firm's accountants or auditors, regardless of how unpalatable such mimicry may be to your tastes. If you succeed passing this test, you are ready to proceed with the real issues.
Step #2: Start talking about risks in dollar terms
Next, you must display a thorough understanding of the worth of your firm's knowledge (or intellectual) assets in dollar denominated terms. Here is where you could fall into the trap of trying to talk your way by reverting to the latest buzzwords that are associated with these concepts. Almost everything that has been written on this topic is of little value because it comes from sociologists or professors who have never run a corporate computer department. The most legible stuff originates with journalists who are very good in quoting what the sociologists and professors say. Just do a web search on "Intellectual Capital" and you will be overwhelmed by thousands of pages of erudite text that does not relate in any way to money except for making vague allusions to the stock market valuations that somehow prove the intellectual worth of your firm. If you follow such advice (and the much cited Skandia Insurance Company is always used as an example) beware that under no circumstances should you succumb to the temptation to relate your information security funding requests to specific threats to your firm's share prices. The ever-present legal counsel will march you out of the conference room and you will be never invited to make a budget presentation again.
For the next installment of budget survival instructions please tune in next month.
Paul A. Strassmann (firstname.lastname@example.org) services as the chief information systems executive started in 1957. Since his "retirement" in 1993, he has continued engagements in matters related to information security.