Justifying Cyber-security Expenditures

Here are some tips from one cyber-security program manager on what to say—and what not to say—when making your pitch to top management.

Aw 1563 1008 Tva

When the Tennessee Valley Authority (TVA) created an enterprise information technology (IT) security group a couple of years ago to handle cyber security for the organization, it thrust those involved with the group into unfamiliar territory.

Placed in a cross-functional role, group members found themselves in meetings with senior managers, with responsibility for justifying the costs associated with cyber-security upgrades and budget expenditures. “We had a place at the table that we’d never really had before, and we didn’t know how to speak the language and the lingo,” said L. C. Williams, program manager for Cyber Strategies & Solutions at TVA, a U.S. government-owned corporation that provides electricity for 9 million people in parts of seven southeastern states.

During a presentation at the Critical Infrastructure Security Summit June 22-23 in Alexandria, Va., sponsored by conference provider IQPC, New York, Williams offered a case study on how his group was able to develop an effective business case for cyber-security investments, by learning to think and talk differently in a language that its enterprise stakeholders could understand. And while Williams described lessons learned from an IT perspective, many of the approaches developed by the group apply equally to operations level security managers and others charged with “selling” the need for cyber-security expenditures to sometimes skeptical executives.

Among the first things the group had to learn was that funding for security cannot be sustained by instilling fear of an event occurring, Williams said. When attempting to sell cyber-security investments to top managers, you should “ignore gratuitous statistics,” such as the number of cyber intrusions that your existing security systems have stopped, the number of patches installed, or the latest news headlines recounting dire cyber events. Likewise, Williams advised, don’t stoke management fears by bringing up all of the bad things that could happen without adequate cyber-security investments, such as control-system shutdowns or fines for noncompliance with cyber-security standards.

Elephant repellant

These tactics may be effective at first. But then, when incidents don’t occur, it can lead to a “desensitivity” to the threats among executives, even if effective cyber-security measures were the reason for the lack of incidents. When fear of an event is not “rewarded” quickly, managers can begin to question the need for expenditures, Williams observed. “Selling cyber security is like trying to sell elephant repellant. Until there is an actual breach, no one can be sure that the measure was worth the expense.” When top managers become desensitized to the threats, it can lead to unbalanced funding scenarios, in which “we don’t get funding to do things until an event happens, or an event almost happens, and then we go into reactionary mode,” Williams said. This, in turn, is highly inefficient and incurs unnecessary costs.

To avoid this scenario, the TVA group decided to embrace a different approach involving the concept of operational risk management, in which operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In this context, actions taken to reduce the probability of a cyber event can be stated using financial metrics. Knowing that every vulnerability has a potential cost associated with it, “we can then quantify everything that we employ as being a financial hedge against that number,” Williams explained, “because the outlay that we spend on negating some vulnerability is less than the cost of the vulnerability actually happening.”

When communicating with executives, security professionals must think of themselves as risk managers, economists, statisticians, internal consultants and as an audit function, he said. “We must show that we are actively investing in the success of the company, and not just tech support.” The approach involves speaking to executives and other stakeholders in their own language. Make sure that cyber security is defined not just as defending against intrusions, but as a quality-of-service factor that allows for seamless and unobtrusive operations, Williams advised. “Your value proposition is: The more things that go right the first time, the more revenue there is.”

Know your business

Among other things, this approach requires developing a thorough understanding of how the organization makes money, and the value of system availability and uptime. “We broke it down to our real-time operations and monetized and correlated exactly what that throughput was, so that every minute of downtime had a cost to it,” Williams said. “So every time we increase the system uptime, we’re actually creating value for the company. We’re preventing value from evaporating.” Effective security is about things going well and being predictable, and not the chaos of unpredictability, he added.

Security managers should be sure that they know when the last cyber-security event occurred at their companies, Williams advised. “Do a deep, root-cause analysis and really figure out what the full monetary value and cost of that incident was. And then keep that number handy,” he added, “because that number is really going to be your key to communicating.” Your chances of receiving funding approval for a $1 million expenditure are improved when you can make it clear that you know the costs of a potential incident down to the minute, or to the second, and that the new spending could help prevent a $20 million incident like the last one, for example.

In the end, for security professionals charged with justifying cyber-security expenditures, a new way of thinking and talking about the issue may be a key to success. “We found out that our executives and the people who fund us don’t understand technology the same way that we do, and they look at things in a very different way,” Williams said. “So we found that the best way to communicate is to really dig into what’s important to our business, and then make those things our goals.”

Subscribe to Automation World's RSS Feeds for Feature Articles

More in Home