How to get your CEO open the corporate coffers for investment

1
How to get your CEO open the corporate coffers
for investment

• Katerina Christaki
• Awareness Raising Analyst
• Katerina.Christaki_at_enisa.europa.eu

2
ENISA

• EU agency set up in 2005.
• MISSION to achieve a high and effective level of
  Network and Information Security within the
  European Union.
• HOW
• - It is a Centre of Expertise for the EU
  Member States and EU Institutions in Network and
  Information Security, giving expert advice and
  recommendations as well as acting a switchboard
  of information for best practices .
• - Facilitates contacts between the
  EU-institutions, the Members States and the
  private business industry actors
• - It seeks to develop a culture of Network
  and Information Security for the benefit of
  citizens, consumers, business and public sector
  organizations in the European Union.

3
The Role of the AR Section of ENISA

• Help monitoring the progress in national approach
  to awareness raising.
• Provide an inventory of good practices that have
  been run or planned in public/private
  organisations.
• Develop dissemination plans to share good
  practices.
• Provide material that could be customised and
  presented to organisations to facilitate their
  work on awareness raising.
• Contribute to the implementation of an
  information security culture in the Member States
  by encouraging users to act responsibly and thus
  operate more securely.

4

• Launched last February, counting 177 members from
  40 countries as of January 2009. Main objective
  to share and analyse good practices in Awareness
  Raising across Europe and the world and offer a
  perspective on what public institutions and
  private companies could do to enhance information
  security awareness.
• It is a subscription-free community and a
  co-operation platform open to experts who have an
  interest in engaging in raising information
  security awareness within their organisations,
  regardless of the sector to which they belong.
•  

5
(No Transcript)
6
A Virtual Working Group composed of AR ENISA
AR community members published in 2008

•  
• Obtaining support and funding from senior
  management for awareness raising initiatives
• The report points out obstacles and
  challenges to obtain support and funding from
  senior management and provides practical advice
  on how to overcome these issues during the
  planning and implementation phases of an
  information security programme.
• Target audience Chief information officers,
  communication specialists and others who would
  like to organise an AR initiative in a company.

7
The need for Management support

• Information security is both a technical issue
  and a business and governance challenge that
  requires the involvement of senior management and
  executives to assess how to react to emerging
  threats.
• The priority given by senior management to
  awareness initiatives has a definitive impact on
  the extent to which these programmes will be
  successful.

8
The need for Management support

• Senior management is
  rejecting ideas is almost
• barraged with requests a
  reflex
• Information Security initiatives provide value
• either through the management of identified risks
  and reduced incident costs such as increasing
  profit and enabling growth,
• or
• improved governance effectiveness and compliance.
• You cannot manage what you cannot measure
• .... IS Awareness impacts are mostly intangible
  by their nature..

9
Five steps to obtain corporate security
investments

• Define the investment rationale and the right
  stakeholders
• Build a persuasive business case to make senior
  management better understand the value of the
  investment to obtain funding and commitment
• Identify the most common expenses which may incur
  and make rough estimates of programme costs
• Link business benefits to an information security
  initiative, define and calculate performance
  metrics.
• Detail a typical path to face a corporate
  executive in a senior management briefing

10
Define the investment rationale and the right
stakeholders

• Why should we as an organisation invest in this
  AR effort?
• The investment process starts when the security
  manager has documented the identified need for
  risk mitigation.
• The main rationale for these needs varies, and
  determines methods for useful cost benefit
  analysis.
• Some examples of main driving forces that
  create the main rationale
• identified risk or gap in the current control
  environment,
• provision of business enabler such as training of
  customers
• compliance with growing numbers of laws,
  regulations and industry standards

11
Define the investment rationale and the right
stakeholders

•  

12
Define the investment rationale and the right
stakeholders

• The security manager needs to address the correct
  stakeholders to avoid lack of investment or
  commitment where needed.
• The following questions should be considered
• Who will make the formal investment decision?
• Who will fund the investment?
• Which other stakeholders could have an impact on
  the decision?
• What are the key targets and strategic goals for
  these stakeholders?

13
Build a persuasive business case
14
Make estimates of programme costs

• Costs vary depending on organisation and
  initiative
• Common cost elements are
• Personnel working on the initiative,
• Operational costs (like rent of equipment, AR
  materials etc.),
• Advertisement and promotion,
• Training rooms etc.

15
Identify metrics and success indicators

• Non-financial measures that can be used include
• Impact on a core information security metric
  (loss of laptops, virus and malware infection
  rates)
• Impact on a knowledge benchmark (through survey)
• Less employee-time spent on corrective controls
  (measure the before and after)
• Incident avoidance benefits (average total cost
  for incidents per annum)
• Incident cost-reductions (before and after effect
  of cost of business disruption, direct financial
  cost, cost of business disruption, brand value
  etc.)
• Financial measures e.g. Return On Investment
  (ROI), Net Present Value (NPV) etc.

16
Effective communication

• Effective communication is critical
• the right information value of initiative,
  realistic budget needs, legal requirements for
  education, strategy, senior management
  responsibilities, leading practices, increasing
  IS threats etc.
• should be delivered
• in the right manner keep it non technical and
  simple
• at the right time - preferably 6-12 months ahead
  the project

17
How to respond to major roadblocks..

• 1. Insufficient management understanding of
  the net value of security awareness?
• Use initial seed funding and demonstrate the
  value of security awareness using terminology and
  high level issues most relevant and of concern to
  senior management (e.g.compliance, governance
  effectiveness or cost reductions)
• 2. Insufficient confidence in the
  cost-benefit analysis (estimated financial
  benefits of the improved security awareness)?
• Deliver a limited pilot study such as covering a
  single department, site, business unit and so on,
  to prove the awareness methods and validate the
  projected numbers, which implies that suitable
  metrics must be in place.
  

18
Risks

• 1. The programme takes too long to get going or
  runs out of steam
• The fate of many awareness programmes that relied
  on once-a-year awareness events. Behavioural
  research indicates that short one-off events are
  unlikely to have much if any long term impact,
  especially if the events are relatively banal.
• 2. The programme does not receive the necessary
  widespread management support to have the desired
  effect
• If management does not understand the rationale
  for the programme, there is less chance of it
  receiving the necessary level of support.
  Especially if it seen as is seen as someone's
  costly project.

19
Risks

• 3. The programme is too costly or disruptive to
  operations
• As with any investment, mismanagement of the
  awareness programme carries a risk of runaway
  costs and failure to deliver the anticipated
  benefits.
• 4. The programme fails to deliver i.e. is
  actually ineffective or is perceived as such
• The cultural changes that accompany even an
  effective security awareness programme are likely
  to be quite subtle, so subtle in fact that they
  may not be recognised or appreciated as such.
• The key to addressing this risk is to plan
  for the long term, not expecting to achieve
  dramatic results in the first few months of the
  programme. Setting management's expectations
  realistically is therefore something to be taken
  into account.

20

21
More on the issue

• ENISAs publications page
• http//www.enisa.europa.eu/pages/05_01.htm
• Send us an email at
• awareness_at_enisa.europa.eu