The Agency Insider with Linda McGlasson

Security Budget Battle: Arm Yourself with These Questions

Security Budget Battle: Arm Yourself with These Questions

It is an age old question: Who really is in charge of security? A look back into history, one can see the origination of the word "password" and how it came from the guard at the gate of a city or castle, who upon approached, would say "Halt, who goes there?"

The other person would answer back the "password" and, based on what answer they gave, would either be admitted though the gate, or they would be chased away. The guard's job was simple -- protect the entrance, thus the entire city or castle was safe. The guard answered to the head of the guards, who answered to the city's leader, or the castle's king.

The previous example paints a simplified picture, but shows what path security reporting should take - no dotted lines, no matrixed reporting chart; just a line drawn straight from the Chief Security Officer (head guard) to the board or CEO's office.

The ultimate decision-maker should be the one in charge of everything. But let's be really honest: Who among you has that direct line of reporting? Well, I know that I never saw a direct line of reporting yet that didn't have at least one detour.

One detour many institutions' CISOs or Risk Officers take is through the Chief Financial Officer's office. The "decider of budgets" AKA the "guy who signs the checks." Are these people interested in security? Sure, most will tell you, as long as it doesn't cost the institution a lot of money. You're having to justify every dollar or person you have on staff, and you want more money? Good luck.

So, what's the best thing to take into your next budget meeting with your favorite CFO? It's not the box of cookies as peace offering to make up for the last grudge match/budget meeting. How about taking in a list of things that will make your cost-conscious CFO sit up and see the monetary implications to the institution's bottom line if they DON'T spend money on security? That list is 50 questions that CFOs would want to ask themselves about risk and probability of financial losses. And "Loss" is a four-letter word that no Chief Financial Officer wants to hear or see on any report.

The list of 50 questions at "The Financial Impact of Cyber Risk" can be found on the American National Standards Institute's website. It was introduced last fall as a joint release by the ANSI and the Internet Security Alliance. ANSI oversees the development of consensus standards for products, services, processes, systems and personnel in the U.S. and coordinates with international standard makers. Some examples of ANSI standards are the standardization of computer programming languages and how character values in digital computers are represented.

Here are some sample questions:

What legal rules apply to the information that we maintain or that is kept by vendors, partners and other third parties?

Do we understand what regulated data we have, where it exists and in what format?

What is our biggest single vulnerability from a technology or security point of view?
Think of all of the cost-cutting that you've probably been asked to make in the last year. Here's your chance to make a real dent in their resistance to spending on security, without resorting to using your regulator's FFIEC compliance requirements as a weapon or defensive shield to prevent budget cuts.

Forward your CFO or other key execs a copy of these 50 questions and sit in the office while they review the document. Key words that jump off the page are words like "legal exposure," "regulatory compliance" "cyber security events" "company reputation" "customer loyalty" "shareholder value" and my favorite -- the one I just know that any CFO worth their title will pay attention to - "financial loss." That's the word that makes them reach for their acid relief medication. These words are just on the table of contents page! Along with the 50 questions, the rest of the document is chock-full of charts to help them calculate the probability and severity of financial loss from both the risks and the actions to mitigate them.

Let me hear from you about your CFO's reaction (or your senior management) to these 50 questions.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.