Information security's role is becoming more strategic, but its approach to making investment decisions hasn't kept pace. To better align security investments with enterprise strategy, IT and security leaders must stay focused on the right risks, add rigor to decision making processes, and give stakeholders opportunities for input.
The kids are back in school, the leaves are changing color, and the days are growing shorter – all signs it’s time for IT leaders to start thinking seriously about next year’s budget. One key issue that CIOs need to consider when drafting their 2018 budgets is how information security’s role is changing within the organization and how best to support that change.
IT and business leaders need information security to take on a more strategic focus; but so far at least, its investment priorities haven’t followed suit.
As organizations transform their business models to support new digital products and services, information security will increasingly adopt the role of “digital business enabler.” That means finding new ways to help business leaders take smart risks with information technology in pursuit of new growth or competitive advantage. This will change the way organizations deliver security, the skills and tools security teams will need to be effective, and the way security leaders prioritize their investments.
Security teams will soon need to lead or support a broader scope of activities, everything from security operations to advising the board. They will face tighter timelines with more stakeholders competing for their time and energy. To make matters worse, the global shortage of skilled security professionals will make bringing on new talent a difficult and expensive proposition. These converging factors will strain Information Security’s ability to support the enterprise’s most urgent priorities, demanding a more rigorous approach to selecting security investments.
Why Most Security Investments are Out of Sync with Business Needs
One would think that as information security matured from back-office function to a more strategic role, CISOs’ approaches to portfolio prioritization would have followed suit. However, that’s not necessarily the case. Speaking with dozens of IT and security leaders, we found that most approaches to making security investment decisions are largely subjective. Too often, they’re based on personal expertise and credibility rather than systematic processes and business value metrics.
As a result, companies tend to invest in mitigating the wrong risks, or they duplicate investments that other functions have already made. Misalignment with enterprise strategy not only creates drag and limits innovation, it strains relationships with the very stakeholders security leaders need to win over to be effective in a business enablement role.
How to Make Better Investments in Security
That’s why IT and security leaders need to rethink their approach. Below, we’ll outline a few tips and tricks IT leaders can use to make their security portfolios more business-centric, process-driven, and transparent to non-IT stakeholders.
1. Stay Focused on the Right Risks. As information security takes on a more strategic role, IT leaders should build their security portfolios around enabling digital business, not just reducing risk. It’s important to keep in mind that cyber risks pale in comparison to the risk of technological disruption or being outmaneuvered by the competition. For instance, it doesn’t make sense to agonize over which new controls to invest in when the company is hemorrhaging money because security’s waterfall-style governance model is keeping Agile teams from shipping code on time.
To align new security investments with the enterprise’s strategic goals, start by bringing in the help of senior IT and business leaders to provide context for the security team. Brainstorm a list of the top 5-6 business capabilities or goals for the upcoming year, and rank them according to relative importance. (Hint: These should closely resemble your CEO’s performance objectives.) Use these as portfolio objectives around which security leaders can set informal spending targets. But instead of spreading funding equally across each one, channel disproportionate investment toward the areas of greatest strategic opportunity.
2. Develop a More Systematic Decision Framework, but Don’t Overthink It. It’s clear that IT leaders need a more rigorous approach to selecting security investments, but that’s often easier said than done. In an effort to reduce subjectivity, some practitioners over-correct by trying to reduce investment decisions down to a single dollar-value metric, such as a project’s ROI or net present value. But given the difficulties of quantifying information risk, dollar-value calculations are costly to perform and are typically met with skepticism by other stakeholders.
Instead, IT leaders should adopt a framework for vetting investment proposals that is methodologically rigorous while not overly cumbersome. One approach that works well is a two-step triage mechanism that allows for quick decisions on obvious high-value investments and a more comprehensive process for others:
Step 1: Use 3-4 business-centric criteria (e.g., Strategic Alignment, Total Cost, Urgency) to triage new investment proposals into High/Medium/Low Value categories. High-value proposals can be included in the portfolio without additional review, while Low-value proposals can be set aside.
Step 2: Reserve a more comprehensive review for medium-value proposals. Evaluate these projects along 12-15 cost, benefit, and risk criteria, relying on scaled qualitative scoring wherever possible.
3. Give Stakeholders Predictable Opportunities for Input. One thing leading IT and security leaders stress is that creating formalized, predictable touchpoints for soliciting stakeholder feedback is key to ensuring the credibility of security investment decisions. Business partners who have opportunities to share input tend to buy into the outcomes of those decisions, whereas those who don’t feel adequately consulted are more likely to derail the process. Existing governance or steering committees provide an ideal venue for working with outside stakeholders to define security portfolio objectives, fine-tune spending targets, vet project scoring criteria, and re-prioritize security resources to account for shifts in enterprise strategy.
As the last point implies, experienced IT leaders understand that portfolio prioritization is an ongoing process. Investing in lasting partnerships can help to ensure that security portfolios remain in sync with the larger enterprise to help drive its digital transformation.
This article was written by Andrew Horne and Chris Cornillie of CEB, now Gartner. Chris Cornillie is a senior analyst covering information security and risk management. He has a Master’s degree from the University of Chicago.
Andrew Horne is an IT practice leader at CEB, now Gartner, a best practice insight and technology company. Since joining CEB in 1999, he has authored studies on topics including IT strategy development, performance and value measurement, business intelligence and big data, IT ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.