Title: How to get your CEO open the corporate coffers for investment
1How to get your CEO open the corporate coffers
for investment
- Katerina Christaki
- Awareness Raising Analyst
- Katerina.Christaki_at_enisa.europa.eu
2 ENISA
- EU agency set up in 2005.
- MISSION to achieve a high and effective level of
Network and Information Security within the
European Union. - HOW
- - It is a Centre of Expertise for the EU
Member States and EU Institutions in Network and
Information Security, giving expert advice and
recommendations as well as acting a switchboard
of information for best practices . - - Facilitates contacts between the
EU-institutions, the Members States and the
private business industry actors - - It seeks to develop a culture of Network
and Information Security for the benefit of
citizens, consumers, business and public sector
organizations in the European Union.
3The Role of the AR Section of ENISA
- Help monitoring the progress in national approach
to awareness raising. - Provide an inventory of good practices that have
been run or planned in public/private
organisations. - Develop dissemination plans to share good
practices. - Provide material that could be customised and
presented to organisations to facilitate their
work on awareness raising. - Contribute to the implementation of an
information security culture in the Member States
by encouraging users to act responsibly and thus
operate more securely.
4- Launched last February, counting 177 members from
40 countries as of January 2009. Main objective
to share and analyse good practices in Awareness
Raising across Europe and the world and offer a
perspective on what public institutions and
private companies could do to enhance information
security awareness. - It is a subscription-free community and a
co-operation platform open to experts who have an
interest in engaging in raising information
security awareness within their organisations,
regardless of the sector to which they belong. -
5(No Transcript)
6A Virtual Working Group composed of AR ENISA
AR community members published in 2008
-
- Obtaining support and funding from senior
management for awareness raising initiatives - The report points out obstacles and
challenges to obtain support and funding from
senior management and provides practical advice
on how to overcome these issues during the
planning and implementation phases of an
information security programme. -
- Target audience Chief information officers,
communication specialists and others who would
like to organise an AR initiative in a company.
7The need for Management support
- Information security is both a technical issue
and a business and governance challenge that
requires the involvement of senior management and
executives to assess how to react to emerging
threats. - The priority given by senior management to
awareness initiatives has a definitive impact on
the extent to which these programmes will be
successful.
8The need for Management support
- Senior management is
rejecting ideas is almost - barraged with requests a
reflex - Information Security initiatives provide value
- either through the management of identified risks
and reduced incident costs such as increasing
profit and enabling growth, - or
- improved governance effectiveness and compliance.
- You cannot manage what you cannot measure
- .... IS Awareness impacts are mostly intangible
by their nature..
9Five steps to obtain corporate security
investments
- Define the investment rationale and the right
stakeholders - Build a persuasive business case to make senior
management better understand the value of the
investment to obtain funding and commitment - Identify the most common expenses which may incur
and make rough estimates of programme costs - Link business benefits to an information security
initiative, define and calculate performance
metrics. - Detail a typical path to face a corporate
executive in a senior management briefing
10Define the investment rationale and the right
stakeholders
- Why should we as an organisation invest in this
AR effort? - The investment process starts when the security
manager has documented the identified need for
risk mitigation. - The main rationale for these needs varies, and
determines methods for useful cost benefit
analysis. - Some examples of main driving forces that
create the main rationale - identified risk or gap in the current control
environment, - provision of business enabler such as training of
customers - compliance with growing numbers of laws,
regulations and industry standards
11Define the investment rationale and the right
stakeholders
12Define the investment rationale and the right
stakeholders
- The security manager needs to address the correct
stakeholders to avoid lack of investment or
commitment where needed. - The following questions should be considered
- Who will make the formal investment decision?
- Who will fund the investment?
- Which other stakeholders could have an impact on
the decision? - What are the key targets and strategic goals for
these stakeholders?
13 Build a persuasive business case
14Make estimates of programme costs
- Costs vary depending on organisation and
initiative - Common cost elements are
- Personnel working on the initiative,
- Operational costs (like rent of equipment, AR
materials etc.), - Advertisement and promotion,
- Training rooms etc.
15Identify metrics and success indicators
- Non-financial measures that can be used include
- Impact on a core information security metric
(loss of laptops, virus and malware infection
rates) - Impact on a knowledge benchmark (through survey)
- Less employee-time spent on corrective controls
(measure the before and after) - Incident avoidance benefits (average total cost
for incidents per annum) - Incident cost-reductions (before and after effect
of cost of business disruption, direct financial
cost, cost of business disruption, brand value
etc.) - Financial measures e.g. Return On Investment
(ROI), Net Present Value (NPV) etc.
16Effective communication
- Effective communication is critical
- the right information value of initiative,
realistic budget needs, legal requirements for
education, strategy, senior management
responsibilities, leading practices, increasing
IS threats etc. - should be delivered
- in the right manner keep it non technical and
simple - at the right time - preferably 6-12 months ahead
the project
17How to respond to major roadblocks..
- 1. Insufficient management understanding of
the net value of security awareness? - Use initial seed funding and demonstrate the
value of security awareness using terminology and
high level issues most relevant and of concern to
senior management (e.g.compliance, governance
effectiveness or cost reductions) - 2. Insufficient confidence in the
cost-benefit analysis (estimated financial
benefits of the improved security awareness)? - Deliver a limited pilot study such as covering a
single department, site, business unit and so on,
to prove the awareness methods and validate the
projected numbers, which implies that suitable
metrics must be in place.
18Risks
- 1. The programme takes too long to get going or
runs out of steam - The fate of many awareness programmes that relied
on once-a-year awareness events. Behavioural
research indicates that short one-off events are
unlikely to have much if any long term impact,
especially if the events are relatively banal. - 2. The programme does not receive the necessary
widespread management support to have the desired
effect - If management does not understand the rationale
for the programme, there is less chance of it
receiving the necessary level of support.
Especially if it seen as is seen as someone's
costly project. -
19Risks
- 3. The programme is too costly or disruptive to
operations - As with any investment, mismanagement of the
awareness programme carries a risk of runaway
costs and failure to deliver the anticipated
benefits. - 4. The programme fails to deliver i.e. is
actually ineffective or is perceived as such - The cultural changes that accompany even an
effective security awareness programme are likely
to be quite subtle, so subtle in fact that they
may not be recognised or appreciated as such. - The key to addressing this risk is to plan
for the long term, not expecting to achieve
dramatic results in the first few months of the
programme. Setting management's expectations
realistically is therefore something to be taken
into account.
20 21More on the issue
- ENISAs publications page
- http//www.enisa.europa.eu/pages/05_01.htm
- Send us an email at
- awareness_at_enisa.europa.eu
-
-
-
-