Security: How to Get Management Buy-InA CISO's Guide to Making Business Case for Security Resources
In the wake of the evolving threat landscape and escalating attacks on organizations, the Indian security marketplace is optimistic about getting business buy-in for new technology investments. But translating this optimism into concrete security resources is the challenge being faced by Indian security leaders. In a developing market such as India, the way to connect with management and secure buy-in is to raise awareness by speaking in a language that business leaders understand, says Venkatesh Subramaniam, CISO of Idea Cellular, a leading telecom carrier.
"Keep it simple," he says. "Don't use jargon or play up the fear element and back your pitch up with solid data points. Building trust through preparation will stand you in good stead going forward."
Information Security Media Group caught up with Subramaniam for this exclusive interview (transcript below) on the sidelines of the sixth nullcon security conference held in Goa, where he was a panel speaker. Subramaniam shares insight on dealing with management and securing trust to get the support an Indian practitioner needs. In the process, he sheds some light on the prevailing security culture in Indian enterprises today. He also shares his thoughts on:
- The importance of security metrics;
- Changes that global threat have had on Indian management's approach to security;
- The need for Indian CISOs to be proactive.
Subramaniam has more than 20 years of experience in information technology and security and has worked in diverse areas of security in the finance and telecom sectors as well as Fortune 50 companies globally. He has recently relocated back to India from the U.S. In his current role as CISO of Idea Cellular and its subsidiaries, he is accountable for all security strategy; policy and risk governance; security engineering; and operations - from evaluation of solutions to deployment and operations. He is also responsible for business continuity management and privacy compliance.
Edited excerpts of the interview follow.
VARUN HARAN: What are the challenges that Indian security practitioners face when it comes to selling security to the management and getting funding approved?
VENKATESH SUBRAMANIAM: I think the main thing from my experience is that the management always looks at the bigger picture. When you ask your MD for budgets for a project, it is just a small proportion of what he/she is looking at from a revenue perspective. So, when you approach the management with an idea, you need to present it to them appropriately. Having adequate preparation before going into such meetings is absolutely paramount. Clearly define the problem first and never go with just a problem; bring some solutions. Follow this up with recommendations having done due analysis.
While the management may not get into the details of the issue, they tend to have confidence in a clearly-defined problem statement and the fact that you have performed an in-depth analysis in keeping with the business's needs. So the way you structure this presentation in these three buckets is very critical.
The second aspect of this challenge is that the management does not understand terms like 'vulnerability,' 'exploits' etc. These are not terms that you should use. It is always better instead to give them clear, real-world examples. A good correlation to what they do on a daily basis, even in a personal capacity, is helpful in getting your message across.
The third is something that has worked well for me, which is to define the business impact and list out some quantitative benefits. Specific data points are important to impress the business case on the decision makers. Sharing quantitative data which they will be able to associate with is very important. In case of regulatory impact, list out the specific clauses and the need clearly. In my experience, you cannot really sell fear to them - they are very savvy people. And just to say generally that this is a risk to the organization also doesn't sell. Keep it simple. Don't use jargon or play up the fear element and back your pitch up with solid data points. Building trust through preparation will stand you in good stead going forward.
HARAN: With the last year being called the year of breaches, do you find any change in the management-level approach to these issues in the industry today?
SUBRAMANIAM: Honestly, I feel that despite the number of attacks that have happened globally, unless something major happens in India, which is directly associated with an Indian organization - interest and awareness would be low. Sony, Target or a JPMC look distant to Indian organizations, and unless something happens closer to home that Indian companies can relate to, the threat perception will not be immediate to necessitate any kind of change or investment.
That said, some organizations in India have a pragmatic approach, and having a good business case is sufficient to loosen purse strings. For instance, selling APTs as a threat to Indian organizations is tough - it will be difficult to convince management to make significant investments purely based on fear that something may happen. A show-and-tell approach to risk by doing POCs can help in a big way.
A threat-based or breach-based approach may not work well, since it raises the question of why the existing controls are not sufficient. To explain changing paradigms, demonstrating risk to the business supported by data points is the best way. For big investments that are not directly related to a business initiative and are purely concerned with threat management, this is the approach I recommend
Value of Metrics
HARAN:How significant are security metrics to support this approach?
SUBRAMANIAM: Absolutely essential. For example, if you want a buy-in for a data leak prevention solution, don't tell them data is leaving the organization - show it to them. Do a POC and demonstrate it. This also gives you as the CISO the opportunity to practically see if your data and predictions regarding the security posture hold true - especially for things like APTs that quite a few CISOs now are still not completely convinced about.
Security Built In
HARAN: In a country like India where a lot of state-of-the-art IT infrastructure is in demand and is being commissioned - be it cloud, mobility etc - what is the way in which you can sell the case for building security into the architecture rather than adding it later?
SUBRAMANIAM: If I have to convince the management of the merits of building in security in areas where they have planned growth, I can be confident of getting buy-in - depending on how I articulate the long-term benefits and how I anticipate their needs.
As a practitioner today, you have to be ahead and think ahead. You can deal with scenarios by saying no - you could even be extremely regressive and refuse to allow things like cloud altogether. All this is representative of how you are progressive as a CISO and if you are presenting a case where you are proactively supporting the business. As a CISO today you need to be prepared to anticipate the direction the organization is heading in and support it. Saying no is not an option.