How to sell risk assessment benefits to IT execs

Need to justify the expense and effort of a risk assessment? Security policy guru Charles Cresson Wood spells out 10 risk assessment benefits to convince your boss.

Scrutinizing expenses is a primary responsibility of senior executives. They won't approve a single purchase order unless you show a benefit.

As a security manager, you know that organization-wide security risk assessments are expensive. Examiners and auditors from the Big 4 will charge huge fees -- as much as $500 per hour -- to comb your network for vulnerabilities, inefficiencies and noncompliance with security policies and standards. And what do you get for it? A big stack of paper filled with barely comprehensible technobabble. The corner office can't easily appreciate that.

You know you need a risk assessment to show that you're secure and to find the problems that expose your enterprise to risk. But how do you sell your CFO on that expensive proposition? My advice: Use these 10 risk assessment benefits to show that a risk assessment isn't only necessary, but also can produce some cost-saving benefits.

1. Plug Security Holes

No network, no matter how tightly guarded, is immune to the occasional lapse in its defenses or hole in its infrastructure. A risk assessment report is a "to do" list for correcting specific problems and improving overall security.

With a report in hand, you'll have a snapshot of your organization's security. You will see everything, from which servers lack critical patches to a faulty token distribution process that leaves applications open to compromise. The report helps prioritize your efforts and gives you a baseline for measuring progress.

2. Determine Security Requirements

Good security has a lot to do with change control management and adherence to established policies. A risk assessment defines what policies are needed and how well an organization is complying with those policies.

Why have a policy and process? You don't, for example, want your firewall admin to randomly change rule sets, do you? Your policy defines who can make firewall configuration changes, how those changes are approved and implemented and what documentation is required.

Organizations have two choices when it comes to establishing policies: develop their own or adopt existing standards. The ISO 17799 security management standard is a good starting point for establishing a general framework. But every organization is different, and a risk assessment will identify the unique policy and process requirements of your company.

3. Justify Spending

Regardless of the perceived need for security, executives and budget planners want quantitative justification for spending. A risk assessment is a definitive statement about what needs to be done to improve or correct a security program.

You can use a risk assessment report to calculate the cost of improving security and estimate the benefits -- or ROI.

Suppose a risk assessment finds that 40 percent of your servers haven't been patched for a critical Windows vulnerability. You could use the report to show executives how automated patch management would improve security and save the company money by expediting the patching process. A risk assessment can also show the cost of not improving security by documenting recovery costs from a security incident, such as a worm infection.

Quantified analysis is always useful in swaying executives' decisions.

4. Review Purchases

A risk assessment gives you a close-up look inside your computing environment. This kind of insight is invaluable in selecting appropriate security products and services -- you don't want to spend $20,000 on a security measure to correct a $1,000 problem.

You'll blindly spend precious security dollars unless you know what you're defending and how valuable it is. For instance, a risk assessment will help you decide that a storage encryption system for protecting routine Word documents on an NT file server isn't worth the expense. But, it also will show that buying database security tools to protect customer records and financial transactions on a SQL Server is a good investment.

5. Improve Planning

By being proactive and identifying security problems before they're exploited, you create an opportunity to significantly lower the cost of security. It's no secret that it's less costly to deal with security before serious problems arise than it is to deal with it during a crisis or incident recovery.

Planning for security events begins with understanding an organization's strengths and weaknesses. Enterprises can use a risk assessment to design and build secure network architectures, develop security policies and create security contingency plans.

Risk management is about reducing an enterprise's threat exposure to an acceptable level. A risk assessment will provide focused information about threats, how well you're protected against those threats and what's missing from your security program.

6. See the Big Picture

A risk assessment is more than running a vulnerability scanner against a network segment and creating a prepackaged report. It's a holistic examination of the security infrastructure -- technology, people and processes.

A comprehensive risk assessment will do all of the bits-and-bytes things you'd expect: scanning for vulnerabilities, checking system maintenance and security policy, reviewing logs, etc. Often, it also involves interviewing the people who use the network -- everyone from the security manager to human resources, legal to auditing.

These interviews will reveal your organization's security awareness level, as well as recent incidents and problems. In other words, the process will reveal who in your organization understands security and who still needs to be converted.

7. Increase Motivation

Independent auditors and examiners typically perform risk assessments. This can motivate an enterprise's security team, end users and others because it verifies and validates their work to management. In effect, an objective party is saying, "Your work is important to the organization."

Equally, the risk assessment also communicates that staff members must be diligent and consistent with security-related matters. Without a risk assessment, end users will likely get the impression that security policies are simply window dressing meant to please the auditors -- in other words, completely ignorable.

Performing a risk assessment shows workers that management is serious about information security, and that it expects workers to take security seriously, too.

8. Sell Infosecurity

Perhaps one of the best ways to sell infosecurity internally is to link it directly to business needs. A risk assessment can establish that linkage by bringing together security and nonsecurity people. Once people see the impact security has on their operations, they're more likely to embrace it as a part of their business culture.

Through a risk assessment, employees will gain a sense of participation and ownership. Given an opportunity to make suggestions, staff members will help garner support when it comes time to make recommended changes.

9. Preempt surprises

There are some things you can't defend against, no matter how many firewalls you erect. A layered security infrastructure will protect your company against 98 percent of the known threats, but there's always the possibility of compromise through a zero-day exploit or some other vulnerability for which there's no defense. A risk assessment allows you to quietly assess and catalog your security gaps so you can react appropriately in the event of a compromise.

There's no legal or moral requirement to announce the results of a risk assessment, at least not yet (some legislators are discussing this for publicly traded companies). However, it does create a paper trail that should be guarded. Any attacker would love to lay his hands on your risk assessment report; it would provide a road map for compromising your network.

10. Document Due Diligence

A risk assessment is a verification and validation of an organization's adherence to best practices and compliance with government regulations.

Documentation is becoming critical as more government regulations are imposed and the potential for downstream liability lawsuits increases. Regulators want evidence that you're compliant with such laws as Sarbanes-Oxley. Insurance companies and business partners want documentation that you have good security practices. And authorities probing a complaint under the California Security Breach Notification Act (SB 1386) will seek proof that you have appropriate levels of data protection. A risk assessment report could be important evidence that documents an enterprise's due diligence in protecting its networks and information.

Not every risk assessment has every one of these benefits. But, without question, the final report will inform management about the current security posture and what needs to be done to mitigate risks. And that's an essential part of prudent risk management.

About the author:
Charles Cresson Wood, CISA, CISSP, is an information security consultant and author of several security books, including Information Security Roles & Responsibilities Made Easy (NetIQ, 2002).

Dig Deeper on Risk assessments, metrics and frameworks