I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment.  For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf.  This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.

There is a fine line between being vigilant defenders of information and being alarmists.  The need for information security has never been more important.  Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor.  Keep the focus on the business when proposing new security investments.

I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment.  ROI?  What is your return on something that doesn’t generate revenue?  Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.

It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective.  Some points to remember:

• Knowing how information is used, where it is stored, how it is processed, and where and how it is transmitted is a vital requirement when proposing new security investments.  It is surprising how many organizations can’t meet this requirement but you simply can’t protect what you don’t know.
• Leverage what you already have.  Show that you can maximize the value of currently deployed security tools.
• Demonstrate how the threat applies to your specific infrastructure and business environment.
• Use regulatory compliance to compliment the proposal, not BE the only argument for the proposed solution.

Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both.  Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.