How to Convince CIO to Invest in Security?

Often times it is hard to justify investment in security technologies to CIOs. Security does not add to productivity directly, if anything it creates impediments in the day to day life of employees and it may introduce new processes and work flows. Most people do not take kindly to the the intrusion in their normal routines unless they have a proper context. It is certain though that lack of security will cause loss of productivity if a security incident does happen.

Investment in security technologies is like insurance. As long as there is no incident, it appears to be unnecessary. But, even a single incident is enough to unite everyone in the understanding of its need. Think 9/11, after that unfortunate incident, how easily US government was able to convince people to support Patriot act. The fact that security incidents create an awareness of the threats can be effectively used for lobbying for implementing necessary controls and getting a bigger budget if required.

I heard a talk at RSA security conference many years ago and it has stuck with me even after so long. I do not remember who gave the talk, but I do remember that it described a real life incident about how a group of network administrators convinced their CIO to invest in firewall technology (this is an old incident and long ago, in Internet time, it used to be hard to get money for purchasing firewall. I hope that today it is not the case and everyone responsible for security understands the importance of firewalls instinctively).

The network administrators were making a case to purchase a firewall to CIO. They kept on coming up with presentation after presentation explaining how easy it makes for anyone on the Internet to access their corporate network and possibly steal valuable information. It went on for a few weeks but no amount of technical jargon and what if scenarios convinced the CIO about the need of a firewall. His answer always was, what they said was all good, but no one had broken into the network and stolen anything, so why would he care? After few weeks, the network team brainstormed about how to convince him. Finally, someone suggested an idea. They wrote a tool to monitor the network, capture and process all incoming traffic. They installed the tool on the network. After a while even they were surprised by what they found. Monitoring tool made it clear that the company network was being scanned thousands of times daily and few of those attempts were to exploit specific services. Armed with this data, they went back to CIO and it was easy to convince him.

Moral of the story: whatever the security battle one has to fight, if we can find a way to make the threat visible to the decision makers, favorable results are likely.