Building the business case for Data Protection

In an increasingly connected business world, the need for robust data protection is becoming more and more important. However, while it may seem like a no-brainer to security teams, it’s not necessarily the case amongst executive ranks, where cost of implementation and business disruption can often be seen to outweigh the risks. Luke Brown of Digital Guardian discusses how security professionals can build an effective business case for data protection and takes a brief look at the murky world of cyber security insurance.

  • Friday, 16th September 2016 Posted 8 years ago in by Phil Alsop
The business case for strong data protection may seem like an obvious one. But in organisations where every cost must be justified regardless of size and importance, making the case can sometimes be much harder than it should be. Often, the difficulty for security professionals comes with how to best present security measures in a manner that garners the political and financial support needed at the executive level. Perhaps unsurprisingly, the key to success usually lies in the ability to clearly demonstrate value and ROI to those that hold the purse strings.
An effective, value-based business case for data protection aligns specific business priorities with the necessary data protection initiatives. Put simply, they show executives how robust security can contribute to the overall growth and revenue of the business. In doing so, they can encourage a more organic focus on data, whilst simultaneously creating the mindset that security and privacy can be key business differentiators in their own right.
How can security professionals achieve this? Generally speaking, there are two different approaches they can take:
1)     Qualify how security aligns with the wider business goals and objectives
A value-based approach must highlight how security initiatives support or enable key business imperatives and initiatives, aiding both strategic discussions and executive visibility.  For a security professional, the key here is to use the right language for the audience in question. When speaking to a CISO, discussions should focus on effective technology integration, reduction of attack vectors, and how to deliver robust operating system coverage. Conversely, a CEO cares far more about reduction in capex and lowering the total cost of ownership. Knowing the audience is crucial.
Another key success factor is the ability to tie data security into the right business timelines and goals. Security teams might only like to talk in terms of the next six months, but management teams plan 12 months at a time, while corporate strategists often gaze 3-5 years into the future. Security teams need to make sure they are talking to the right timelines to the right stakeholders, or risk selling themselves short and being overlooked in the context of the bigger picture.
2)     Quantify the value of information security 
An alternative approach is to put quantifiable figures on the importance of information security. The most compelling cases don’t just stop at the value of the information today either, they also take into account what this information could be worth in the future.
When calculating the value of current data assets, security professionals need to look at proprietary IP, formulas, methodologies, trade secrets, and other pieces of data that are the key to the business’s current profitability. Protecting these effectively should be the highest priority that the business has. Tying their protection directly to the business’ bottom line can help executives understand just how significant this is.
As mentioned, the most effective arguments don’t just stop at the present day, they also look at the IP that is most likely to drive market share tomorrow as well. How would a strong data protection regime positively affect business growth over the next 3-5 years?
A word on cyber insurance and its pitfalls
As expected, there are a variety of insurers out there offering further piece of mind by covering businesses against cyber attack and data loss. Insurers will assess a company’s security tools and defences to determine the level of risk, before calculating the rates they are prepared to offer.
With high profile attacks happening seemingly on a daily basis at present, cyber insurance premiums have been understandably volatile, particularly in heavily regulated industries such as healthcare and financial services. Furthermore, there are usually several notable pitfalls and exclusions to watch out for when it comes to cyber insurance policies today. Most importantly, businesses must make sure they know exactly what is covered and what isn’t. Intellectual property is often excluded due to the issue of accurately determining its value, and the complexity, or in many cases, the inability to recover losses or repair the damage caused.
Any company seeking cyber security insurance should also be prepared to come under intense scrutiny from underwriters. They may be asked about formal incident response plans, encryption technology in use, compliance and the security of vendor networks. Failure to provide satisfactory answers will likely result in insurance being refused.
Building the business case
 
The need for robust data protection is growing by the day. However, that doesn’t necessarily mean security professionals will have an easy time convincing cost conscious executives of this unless they can demonstrate a tangible ROI or benefit to the business as a whole. When building an effective business case for data protection, knowing the audience, speaking the right language and understanding how security ties into the wider business objectives will all play a critical role in success. Cyber security insurance can further enhance peace of mind, but isn’t without its pitfalls either. Businesses must make sure they know exactly what is and isn’t covered in the policy and be prepared for intense scrutiny from underwriters before an offer is even made.