Whether you are freelancer in the information security sector trying to convince a company to hire you, or you are struggling with an employer to justify the annual information security budget, explaining the importance and value of what you do is a hurdle most people in the industry face.
While those in the infosec industry know the importance of maintaining IT security and the value the job brings to any organization in preventing threats, providing reputation management and preventing security breaches from grinding things to a halt, articulating this value is another matter, especially as value means different things to different businesses.
A Hidden Industry
IT is a fragmented industry. It is quite common for a company to have different departments responsible for different facets of the IT system. Those that create and look after the website may not be in the same department as the people who deal with online financial transactions, while internal company IT may be looked after by a completely different group of people. As information security is a more of a holistic craft, it can be quite difficult in getting the value of information security across to somebody who believes it’s the other department’s responsibility.
Time, resources and money are critical for all businesses and departments, and the big problem with information security is that it doesn’t offer any return on investment. Nobody in information security can turn round to a manager and say, hire me and I’ll save you x-amount of dollars each month. Furthermore, information security is very much a hidden craft because when it is working, the benefits are invisible. If there have been no security incidents, there is nothing to point at and suggest you can prevent it from happening again, and when there have been no incidents, it makes managers believe information security isn’t necessary. As a result, showing your worth can be incredibly difficult to do.
The Four R’s of Value
You can justify information security value, however, by centering on four aspects: Risk, Reputation, Regulation and Revenue.
Simply explaining the numerous threats modern businesses face isn’t going to convince anybody of your particular worth, especially if a company has survived so far without any trouble. Of course, there is nothing wrong in placing a little fear and uncertainty into people’s minds, but if you really want to get the value of information security across, don’t focus on the possible threats but emphasize the risks these threats pose. A manager will be more concerned knowing that a website could be disabled for the best part of a fortnight without the relevant information security infrastructure, than have you explain the numerous different methods it could be attacked.
Several big name businesses have had their reputations dented by security incidents in recent years. Even top tech firms such as Sony have had outages on their online gaming system and the details of 77 million customers compromised. This sort of high profile incident is very useful for explaining the damage a security incident can have on company’s reputation. If a company has spent years building a good, solid reputation, explaining just how quickly and easily this can be undone is a great way to emphasize the value of information security. It’s also worthwhile explaining it’s not just external threats that can damage a company’s reputation, as many organizations have suffered bad publicity due to the improper use of system by an internal user. As nearly every company now provides email and Internet access to its employees, it can be very easy for improper use to lead to embarrassment for the organization.
All businesses know about the trouble red-tape causes. Regulation in IT compliance changes year on year and often managers don’t really understand what it all means. Relieving this burden is something that adds obvious value to your services, especially as penalties for non-compliance can be quite severe.
Money talks far louder than words and while a return on investment is not something the infosec industry can ever boast about, information security can be instrumental in making savings. A security incident can result in a system grinding to a halt, losing an organization a serious amount of cash, and when there is an incident, the value of information security in getting things back up and running quickly is something that actually can be financially appraised.
PS: This article was written by one of our readers and does not necessarily reflect my opinion.