What Drives Executive Sponsorship?

I had a short but interesting conversation today about what it is that drives executive sponsorship in security initiatives. Most people seem to agree that executive sponsorship is critical to any major IT initiative. At a minimum, it makes things go much smoother. I've talked to many frustrated IT managers who don't understand why the exec's can't see the need to spend money on security. And making the business case isn't easy; especially when standing in the shoes of an IT manager (where there may be limited view into business strategy). Sure, there are dozens of examples from the news about security breaches that you could point to – and some of those breaches have carried heavy financial losses ($7B at Soc Gen) – but, it's like any other area of life where you naturally think it won't happen to me. Consider the executive point of view. Why spend budget on a problem that doesn't seem likely to affect us?

So, I think the key to getting executive sponsorship is to make the risk real. And understandable. And attached to an actual loss estimate. I'm talking about IT Governance and risk analysis. If the IT manager wants to make this happen, he has to wear the hat of Risk Analyst (RA). I made up the RA title for the purpose of this discussion. It could be someone from IT, someone from an audit group, a consultant – it doesn't matter. Here are the areas that the RA needs to analyze:

• Business assets that should be protected (information, applications)
• The cost associated to loss of those assets (stolen data, system downtime, breach)
• The threats and types of threats to those assets (hackers, viruses, DoS attacks)
• The likelihood of threats actually occurring (controls in place, ease of threat)

The organizational risk then becomes a computation of costs of asset loss and threat likelihood.

Then, the RA needs to get executive sign off on the risk analysis. The executive team is ultimately responsible for organizational risk. And in most cases, IT is so embedded in the way we do business that IT risk is business risk. Once the executive team understands the types of threats, the value of assets, and the likelihood of threats actually occurring, I believe they will push downward to put controls in place that manage the organization's risk effectively. If they don't, they're not doing their jobs.

In some cases, the reality may be that additional controls aren't needed based on the risk analysis findings. In those cases, you won't likely ever get executive sponsorship on a project to implement new controls. In other cases, the executive team will approach IT managers demanding additional controls for certain assets. At least, that's the idea.

And that's what it means to align information security with business goals. When you do that, I hope that the sponsors will find you. If it sounds like a little too much to bite off, start small. You can concentrate on a single asset (like customer credit card information) and perform a risk analysis on it. Even on a single asset, you may find ways to improve the organization's risk posture. And that's what information security is all about.