Risikomanagement
Calculated Risk
"My experience is that the business managers have clear ideas aboutloss, risk and what it will cost them and probably more experiencethan the security guys know," says Jacobson of IST. "You have to go toMr. Jones and ask him what it would cost him to be down, what is hisoptimum recovery time. He will have better answers than you think,especially as he thinks about it more."
KNOW THYSELF. With all of this data in hand, you can start to build athreat profile. You'll need to know the threats specific to yourindustry, the probabilities of certain types of attacks based on thekind of company you have or the kind of infrastructure you use. Crudebut true example: Financial services companies face more attacks thanmanufacturing companies. Companies in the news endure spikes inattempted incidents. The Riptech statistics actually do somedemographic breakdowns based on industry sector.
CALCULATE CONSERVATIVELY. We're moving from how and where to get datato how you're going to present it. When pulling together numbers for aROSI study, always play it safe. Don't assume costs or benefits you'renot sure of. If someone says the probability of an attack is between10 percent and 20 percent, use 20 percent. If they say the cost of anattack is $50,000 to $100,000, take the bigger number.
And use "soft returns" as gravy. Soft returns are generally thehardest elements of a security investment to quantify. An improvedbrand image due to increased security is a soft return. Trying to addthese to the equation is difficult--some skeptical CFOs might evendismiss your ROSI argument as "fudged" because of these variables.Therefore, soft returns are more effectively used as an added benefiton top of ROSI when selling executives.
KNOW YOUR AUDIENCE. And when selling the bosses, the CSO should learnwhat those executives are looking for in terms of return. "I can'ttell you how many times these things are rejected out of hand, becauseIT is selling something that the executives aren't even looking tobuy," says Delphi's Koulopoulos.