From the “Top 10 Signs Your Network and Security Design Might Be Far Behind” Series
Setting your CFO (or equivalent for those privately held companies) is perhaps the #1 thing we can do to set everyone up for success. Even if it’s not an absolute #1, few can argue it’s not high enough up on the top 10 list.
Sadly, there are many in infosec leadership who don’t have a strong relationship with this key position. Or, worse yet, are, from time to time, near adversaries. And for those who are more distant than they should be, a major ransomware attack or PII / PHI data loss is not the time to try to make that positive first impression.
Maybe don’t take so much advice from security conference round tables and panels
Last year alone I spoke at a whopping 47 security conferences. These ranged from ISSA chapter meetings to C-suite breakfast, lunches, and dinners. To say the very least, it was a very informative year, as I always seek to learn more at these events than I, myself, share. Without seeking to brag, on the topics I speak about (cloud security…), I am the smartest person in the room. That’s why I am out there on the speaking circuit, after all. And if I don’t believe that, well, I really shouldn’t be standing up there talking.
But there is just so much to information security that I am always eager to hear and learn from all the other great disciplines. Two of the cornerstone topics out there are “how to present to the board” and “how to get more money for security”. Both great topics, but I take issue with the latter one, in which vendors typically stand up in front of top practitioners and coach them on how to get more funding for their projects. A bit too convenient for the vendors, right?
Be the standout – go for lowering costs
Both the security appliance vendors and their reseller channel will want to beat the living snot out of me right about now, but I’m going to say it anyway. You can absolutely spend much, much less on IT security and yet achieve far greater results.
The problem as I have seen it time and time again, is that organizations settle for average. That’s what humans do pretty much every day of their lives — settle. “Okay honey, we can get the minivan… (when you know you wanted the big SUV with the sport package!)”. We look at our peers, see what they have, and settle for it. Average security, at an average price, sold to us by an average VAR. And all of this at a time when even Moore’s Law is being challenged by the very company that brought it into existence. So we grow to like it, even when our wisdom and spirit tells us the opposite.
Look at security on a scale of 1 to 10, with 10 being the highest. Then look at your spending for that number. When asked, most will say that their level of spending directly correlates to their level of security. “Hey CFO/CEO/Board, if you want us to be a 10 on security, you have to fund us up to the 10 level.” And it’s sad, because it’s just not necessary…or right. In fact, there are companies all over the world (big ones, even) who are showing that they have been able to get security to well above an 8/10 on their scale, for < 3/10 pricing.
And that’s a margin that will absolutely have the CFO doing backflips!
Congratulations, you have a powerful ally…for life!
Follow the money…that’s what they tell us. Pretty solid advice, it seems. If we can show the CFO and the rest of the executive leadership team that we are great for the bottom line, then we are going to have some pretty strong alliances.Ten years from now when that golden opportunity opens up and the story of how you did what everyone else thought at least improbable, your team of allies could carry you right over the top in consideration. With any luck, you will have to get the rumors under control just a bit (No, Sally, it wasn’t $10 billion I helped save. It was closer to $5 billion, but I honestly can’t remember exactly, especially with the qualitative measures in play…). 🙂