Articulating Security's Business ValueGartner's Scholtz on How to Educate Management
The security community typically uses terms such as "confidentiality, integrity and availability" to discuss their work. But the reality is: Most people outside security have no idea what these terms mean. This and the topic of return on investment are the two basic challenges for security leaders when it comes to articulating the business value of security, says Tom Scholtz, research vice president and Gartner Fellow at business consultancy Gartner.
"As a security officer, if I invest in a controls capability and sleep better at night because I think the risk has been reduced, that's a return," he says. "Unfortunately, the business interprets ROI in financial terms. and the majority of security investments are difficult to express in quantitative terms because we are struggling to counter a hypothetical risk against a hypothetical financial impact."
Practitioners need to find more qualitative ways in which to articulate the business benefits of security investments, he says. They can do this best by finding the business drivers that are unique to the business and explain how security primarily enables the technology underpinnings for supporting these unique drivers (see Security & Privacy: Making the Case).
The second aspect of this is to continually communicate quantifiable metrics to the business and how it compares with the rest of your industry. Because effective security usually results in a low profile - which is a good thing - but it also means that your investment could be questioned, he says.
Information Security Media Group caught up with Tom Scholtz on his recent visit to India as a speaker at the Database and Infrastructure Summit organized by Gartner. In this exclusive interview, Scholtz speaks about articulating the value of security to the business, in addition to:
- Recommendations for building management buy-in;
- Software-as-a-Service and building in the right security controls ;
- The paradigm shift required for the age of Internet of Things.
Scholtz is a research vice president at Gartner, where he advises clients on security management strategies and trends. He is an authority on information security policy design, security organizational dynamics and security management processes. Scholtz is a regular presenter at European industry events and has more than 20 years of experience in information security and systems management. His background includes extensive technology experience in the utility and banking industries. Scholtz has been with Gartner since 2005 with the acquisition of META Group, where he was an analyst for eight years. Before META Group, he served in various IT architecture and operations roles for a number of South African companies.