The Business Case for Information Security: Getting Your Security Budget Approved

Information systems security is very vital in enterprises today, in order to curb the numerous cyber threats against information assets. Despite the good arguments that are put up by Information security managers, the Board and Senior Management in Organizations, might still drag their feet, to approve information security budgets, visa vi other items, like marketing and promotion, which they believe have greater Return on Investment (ROI). How do you then, as a Chief Information Security O fficer (CISO)/IT /Information Systems manager, convince Management or the Board of the need to invest in Information security?

I once had a conversation with an IT Manager for one of the big regional financial institutions, who shared his experience on getting an information security budget approved. The IT department was tussling it out with Marketing for some funds that had been made available from savings on the annual budget. ” You see, if we invest in this marketing campaign, not only shall the targeted market segment help us make and surpass the numbers, but also estimates show that we could more than double our loan portfolio.” argued the marketing people. On the other hand, IT’s argument was that “By being proactive in procuring a more robust Intrusion prevention System (IPS), they will be reduction in security incidents”. Management decided to allocate the extra funds to Marketing. The IT people wondered then, what they had done wrong, that the marketing people got right! So how do you ensure that you get that budget approval for your Information security project?

It’s vital for management to appreciate the consequences of inaction as far as securing the Enterprise is concerned, if a breach occurred not only will the organization su ffer from loss of reputation and customers, due to reduced confi dence in the brand, but also a breach could lead to loss of revenue and even legal action being taken against the organization, situations in which good marketing campaigns might fail to redeem your organization.

We try to address the major points management could raise against investing in information security.

1. Information security solutions tend to be costly, where are the tangible returns?

The overall goal of any organization is to create / add value for the shareholders or stakeholders. Can you quantify the bene fits of the countermeasure you want to procure? What indicators are you employing to justify that investment in information security? Does your argument for a countermeasure align with the overall objectives of the Organization, how do you justify that your action will help the organization achieve its goals and increase shareholders/stake holder’s value. For example, if the organization has prioritized customer acquisition and customer retention, how does procurement of the information security solution you propose, help achieve that goal?

2. Isn’t the countermeasure a panic / isolated reaction to a regulatory requirement or recent audit query?

The vast majority of Information security projects could be driven by external regulations or compliance requirements, or could be as a reaction to a recent query by the external auditors or even as a result of a recent systems breach. For example, a financial regulator could require that all financial institutions implement an IT Vulnerability assessment tool. Thus, the organization is required to comply at any cost or face penalties. While response to these regulatory requirements is necessary, just plugging the holes and ” fighting the fires” approach are not sustainable. The implementation of process change in isolation could result into an environment of working in silos, conflicting information and terminology, disparate technology, and a lack of connection to business strategy. [1]

Uncoordinated reactions to specific regulatory requirements, may lead to implementing solutions that are not aligned with the business strategy of the organization. Therefore to overcome this problem and get funding approval and management support, your argument and business case should show how the solutions you intend to procure fit into the bigger picture, and how this aligns with the overall objective of securing assets in the organization.

What are the costs, implications, and the impact of doing nothing?

You will need to communicate to management, the basic business value of the solution you want to procure. You will start by showing/ calculating the current cost, implications, and the impact of doing nothing; if the countermeasure you want to procure is not in place. You could classify these as:

Direct cost – the cost that the organization incurs for not having the solution in place.

Indirect cost – the amount of time, effort and other organizational resources that could be wasted.

Opportunity cost – the cost resulting from lost business opportunities, if the security solution or service you propose was not in place and how that could impact the organization’s reputation and goodwill.

You could use the following pointers and expound on these further:

• What regulatory fines due to non-compliance, does the organization face?

• What is the impact of business interruption and productivity losses?

• How will the organization be impacted, her brand or reputation that could result in huge financial losses?

• What losses are incurred due to poor management of business risk?

• What losses do we face attributed to fraud: external or internal?

• What are the costs spent on people involved in mitigating risks that would otherwise be reduced by deploying the countermeasure?

• How will loss of Data, which is a great business asset, impact our operations and what is the actual cost of recovering from such a disaster?.

• What is the legal implication of any breach as a result of our non-action?

How does the proposed solution reduce cost and increase business value.

You will then need to show how the countermeasure you propose is going to reduce cost and increase business value. Again you could expound more on the following areas:

• Show how increased efficiencies and productivity, of deploying the countermeasure will benefit the organization.

• Quantify how reduced downtime will increase business productivity.

• Show how being proactive could reduce on IT Audit & Assessment costs.

• Quantify the cost reduction that would otherwise be associated with internal audits, third-party audits, and technology.

According to a 2011 research conducted by the Ponemon Institute and Tripwire, Inc., it was found that Business disruption and productivity losses are the most expensive consequences of non-compliance. On average, non-compliance cost is 2.65 times the cost of compliance for the 46 organizations that were sampled. With the exception of two cases, non-compliance cost exceeded compliance cost.[2]. Meaning that, investing is information security in order to protect information assets and comply with regulatory requirements, is actually cheaper and reduces costs, as compared to not putting any countermeasures in place.

Get support from the various business units in the organization

A good budget proposal should have support of the other business units in the organization. For example, I did suggest to the IT manager mentioned before, that probably he should have discussed with Marketing and explained to them on how a reliable and secure network, would make it easier for them to market with confidence, probably IT would have had no competition for the budget. I don’t believe the marketing people would like to go face customers, when there are possible questions of unreliable service, system breaches and downtime. Therefore you should ensure that you have support of all the other business units, and explain to them how the proposed solution could make life easier for them.

Create a rapport with Management / Board, for even future budget approvals, you will need to publish and give reports to management on the number of network anomalies the intrusion-detection system you recently procured for example, found in a week, the current patch cycle time and how much time the system has been up with no interruptions. Reduced downtime will mean you have done your job. This approach will show management that there is for example an indirect reduction of insurance cost based on value of policies needed to protect business continuity and information assets.

Getting your information security project budget approval, should not be so much of a challenge, if one was to cater for the main issue of value addition. The main question you need to ask yourself is how does your proposed solution improve the bottom line? What the Management / Board require is an assurance that the solution you propose will produce real long term business value and that is aligned with the overall objectives of the organization.



2. Ponemon Institute, The true cost of compliance, 2011.

Big4 IT Consultants and The Road Ahead

Demand for Big 4 IT Consultants:

“A Big 4 Accounting firm is seeking IT Auditors,” “Big4 experience in IT Audit, SOX 404, Business Process controls, internal controls” “Big4 ERP consultant with Big 4 experience,” “Strong Big4 experience in the SAP market,” “Big 4 firm seeks senior level Oracle, JD Edwards or PeopleSoft Management/Business Consultants” … the requirements list for Big4 IT consultants is limitless!

Big4 IT Saga:

Apart from being extraordinary performers, the Big Four firms and their clients have the knack of achieving success during uncertain periods. According to Deloitte Technology Fast 500, IT and Software firms consistently lead the Fast 500 list. The latest Trendsetter Barometer survey from PricewaterhouseCoopers strengthens Deloitte’s reports. The survey avers that the fastest growing companies in the U.S. allocate more than 60% of the budget for Information Technology.

What drives the Big 4 IT Firms?

IT is an ethereal market that demands business and technology improvements at the drop of a hat. Managing risks and handling change are important tasks for IT professionals at the Big4 firms. Today, there are three significant requirements that drive the Big 4 IT firms. They are-

Innovative Management

Dynamic Staff and

Efficient Team Dynamics.

Organizational performance at Big 4 IT firms is driven by the fact that the Information Systems Audits, Controls, Business Planning and Development are handled exceptionally. Typically, Big4 IT firms choose professionals for Information Systems Audits, Disaster Recovery, Systems Development and Information Security. Big4 – a website catering to Big4 alumni- receives periodic updates on the latest news and trends at the Big Four IT firms. The training budget per IT employee at Ernst & Young was U.S.$2,100 for the year 2003.

Big4 and ERP:

Enterprise Resource Planning (ERP) is a major bet for Big 4 IT professionals. Big 4 IT software job market is dominated by ERP technologies from Oracle, SAP, PeopleSoft, Siebel and Great Plains., the Hosted CRM services leader, competes with all the top “Install and Customize” ERP technologies providers. With a 300,000 subscribers list, expects to reach a U.S.$ 300 million profit in 2006.

Post Oracle-Siebel Union, Enterprise Software Technology giant, SAP, is also planning to offer hosted CRM Services. Budging from its conventional Enterprise Software Technology market, SAP is competing against industry bigwigs like BEA, Oracle, PeopleSoft and Siebel to earn top honors in hosted CRM services.

Big4 Firms rely on E-business and Security:

E-business and Security are playing important roles in driving the success rate of Big Four firms. In June 2005, Sapient Corp. acquired BIS (Business Information Solutions,) a SAP-related services firm. With this acquisition, the demand for Business Intelligence and value Optimization Services increased tremendously.

Another Big4 stalwart, PricewaterhouseCoopers, helps clients by offering IT cost and performance optimization services. PwC enables organizations to focus on IT business risk, IT spending, IT governance, IT risk management and compliance.

In the Information Security arena, Compliance is a forerunner. Business Process Controls, Internal Controls, SOX 404 are potential players in improving the business performance of the Big Four IT firms. As per a Deloitte Research report, a security loophole in a shipping container can amount to U.S.$ 1 trillion loss. Companies worldwide lose U.S.$ 12.5 billion due to computer hacking and spamming. Additionally, the report also suggests that global companies consider business disruption, poor regulatory compliance, erratic surges in interest rates, terrorist activities as factors affecting Security.

Performance of Service Companies and Product-related companies:

As a matter of fact, service companies are performing better and reaping higher revenue than the product-related companies. The analysis made by the PricewaterhouseCoopers’ Trendsetter survey compliments the performance of IT services industry. As per the survey, 62% of e-business budgeting caters to Information Technology. Service companies bestow 57% of the e-business budget towards IT personnel, while their counterparts, the product sector firms, allocate 44% for IT personnel.

Big4 Firms and IT Compliance – The Road Ahead:

Sarbanes Oxley and IT Compliance measures have had a positive effect on the overall health of the Big Four firms. With IT auditors and financial auditors standing guard and streamlining the Security measures at Big Four firms, does that mean Big Four IT professionals with desired attributes are a hotcake? You bet!

The Competencies of a Business Analyst

Competencies are described as the ability to do a particular activity to prescribed standard.

The competencies can be classified into three categories

1. Behaviour Skill and Personal Qualities

1.1 Balanced behaviour

1.2 Leadership

1.3 Problem Solving

1.4 Attention to Details

1.5 Critical Thinking and Analytical Skill

1.6 Flexibility to Manage Situation

1.7 Team working

1.8 Influencing

1.9 Communication

1.10 Relationship-Building

2. Business Knowledge

2.1 Finance and Economy

2.2 Business Case Development

2.3 Domain Knowledge

2.4 Subject Matter Expert

2.5 Principle of IT

2.6 Organization Structure and Design

2.7 Procurement

3. Techniques

3.1 Requirements Engineering

3.2 Stakeholders analysis and management

3.3 Facilitation Techniques

3.4 Business System Modeling

3.5 Business Process Modeling

3.6 Managing Business change

3.7 Data Modeling

3.8 Investigation Technique

3.9 Project management

3.10 Strategy Analysis

1. Behavior Skill and Personal Qualities

1.1 Balanced Behavior

This is an ability to work out what is and what is not commercially acceptable in an organization. Having commercial and political awareness by the way emphatically does not mean accepting statue qua. It does mean using resourcefulness and being astute to get results, even in the face of opposition. Balanced behaviour means forcing a issue but moderately, firm but not arrogant.

1.2 Leadership

There is a never one solution for all problems .Leader should have the capability to understand the context of the problem and provide an effective solution.

1.3 Problem solving

A business analyst has to approach an issue with the outlook that problem can be solved. A variation on this is that even if the optimal solution cannot be implemented for financial, technical or political reasons, then the business analyst must be pragmatic and be prepared to find other solutions that will yield at least some benefit.

1.4 Attention to Details

Many business cases fail because there is no sufficient detailed evidence for the proposed change. When a project is handed over to IT specialists, they often find many important issues if the detail have not been addressed. Having an eye for the details is also an important attribute of a good business analyst.

1.5Critical Thinking and Analytical Skill

Business analyst have a common sense to ascertain what data are relevant and what are irrelevant and separate vital factors from less important many critical thinking is achieve by experience and differentiate what factor to concentrate and what to leave.

1.6 Flexibility to manage situation

This is an extremely important quality. Business analyst must have sufficient self confidence in himself, in the quality of his analysis and the correctness in his solution, be able to withstand the pressure and sustain his point of view

1.7 Team working with data’s

Business analyst often work in teams, A nature of understanding of the role within the team and what needs to be done and appreciation of the working style of others are, therefore important to ensure that the project objectives are achieved.

1.8 Influencing

Influencing needs careful consideration and prior planning. Business analysts have to develop an understanding of where the other party stands on their proposal, the likely resistance and influencing style needed to approach the person or the group. For example, some managers might defer all the decisions to another group require information at a very detailed level or ask only for high level summary. Some may be interested in technicalities, others just vision or big picture. Tailoring the approach is vital for a successful outcome. The business analysts are often influenced to take or suggest another course of action. This may involve another round of influencing, facilitating a roundtable discussion and seeking the support of senior colleagues in the best course of action.

1.9 Communication

Communication is the most important skill that human possess. It encompasses building rapport, listening, influencing and creating empathy. Most analysis work involves collecting and analyzing data and presenting back information that brings new perspective on the project so as to propose a course of action. If the communication is not good between the staffs, it leads to frustration when there is a failure to do obvious thing. Communication between business colleagues must be in a language and style that they are comfortable with and avoid what they perceive as techno-babble. Business analyst must adjust their communication to align with the people they are talking to.

1.10 Relationship Building

This is an extension of communication skill and concerns the ability to get on well with people at a working if not social level. Some people possess this ability naturally and others have to work on it. Business analyst must get to the people to impart information and share opinions and listen to ideas for change.

2. Business Knowledge

2.1 Finance and Economy

The universal language of business is finance. A business analyst needs to have a good working knowledge of the economy and of the basics of business finance. It includes a general understanding of financial reports such as balance sheet, profit-and -loss account, financial analysis tools such as ratio analysis and principles of costing.

2.2 Business Case Development

Much of analyst’s work will be to assess the costs and benefits of delivering a project to the organization .When communicating analysis findings; you need to ensure that you have a view of the financial impact on the project. IT is an enabling tool for the business benefits to be achieved. Business analysis projects involve other specialist like management accountants to understand and model the business activities and determine how IT can deliver financial benefit. To develop business case, a basic understanding of finance is required along with financial workings business area. Business analysts involved in business case preparation has to understand basic investment appraisal techniques and work closely with finance department.

2.3 Domain Knowledge

It gives general understanding of a business domain. Apart from general domain, specific domain knowledge is required for the following reasons;

* It enables you to talk sensibly with the business people involved in the project, in a language that they can understand.

* It helps you to understand what would and would not acceptable or useful in the business domain.

* It may enable you take ideas.

2.4 Subject Matter Expert

It takes domain knowledge to a lower level of detail. The level of expertise depends on the type of work being done. Business analysts may be specialist in particular domain ,with a strong and detailed understanding of the subject area, can pinpoint areas for improvement , development and identify what needs to change, to analyze using existing knowledge and contact. The key point is to assess how well competencies meet the needs of the current situation and to recognize where competencies needs some improvements.

2.5 Principle of IT

Many business analysts do not have an IT background. However, many business analysis projects result in the use of IT in some or the other way. General understanding of the field is necessary for a business analyst so that he can communicate meaningfully with IT professionals .The key requirement is that business analyst must understand the technical terms used by IT specialist. Since IT solutions are often investigated by business analyst, the latter should have an understanding of IT fundamentals, including areas such as:

* How computers work, including operating systems, application software, hardware and networks.

* System -development lifecycle

* System – development approaches

* The Relative pros and cons of developing systems and buying system “off the shelf’;

* Trends and new opportunities that IT brings, such as ecommerce, grid computing and mobile technologies and how these impact systems development.

2.6 Organization Structure and Design

Business analysis projects involve restructuring organization to a greater or a lesser degree, to improve the customer service. It is important for business analysts to have a good understanding of the various organization structures that may be encountered – function, project, and matrix and so on – and of their relative strength and weakness.

2.7 Procurement

Most organization use external suppliers to deliver their IT systems. Selecting an appropriate sourcing strategy involves assessing the work and deciding the most appropriate way to take the project forward on sound commercial term. Once the analyst has worked out the type that is required , they need to assess the most appropriate supplier – internal and external- to take work forward and what commercial terms has to employed. A business analyst needs a broad understanding of contractual arrangements that is shown below:

* Time and Materials: where the contracted party is paid on the basis of the time worked.

* Fixed -price delivery: where the contracted party is paid the price that originally agreed for the delivery of a piece of work according to the precise specification.

* Risk and reward: where the contracted party has agreed to bear some or all of the risk of the project ,for example by investing resources such as staff time , materials or office space, but where potential rewards are greater than under other contractual arrangements.

3. Techniques

3.1 Requirements Engineering

This is the set of practices and processes that lead to the development of the set of the well-informed business and system requirements, from which IT and other solutions are developed.

3.2 Stakeholders analysis and management

This includes understandings who are the stake holders in a business analysis project and working out how their interests are best managed.

3.3 Facilitation Techniques

The interpersonal skills required for effective facilitation is usually exhibited within the context of a workshop. Effective facilitation usually results from a combination of the right qualities in the facilitator and the choice of the right techniques to match the task and the cultural context of the organization in which it is being used.

3.4 Business System Modeling

Business System Modeling is an approach to understand business systems through the creation of the conceptual models of those systems.

3.5 Business Process Modeling

A business system model looks at the entire business system in overview, more detailed process models are used to map and analyze how business process actually works and helps to identify opportunities for process improvement.

3.6 Managing Business change

This covers the techniques needed to implement changes within the organization and to make them ‘stick’.

3.7 Data Modeling

Analyzing the data held and used within a business system affords valuable insights into how a business operates .For e.g. what are the data items that are held about the customers? What is the relationship between customers, products and suppliers?

3.8 Investigation Technique

To get to the root of a business issue the analyst will have to undertake detailed analysis of the area.

3.9 Project management

The list of project management context and process: scope management, integration management, time management, cost management, quality management, resource management, human management, risk management and procurement management. Business analyst may not necessarily exhibit his skills in all these areas, but if the project team is small the business analyst may be required to undertake the role of project manager.There is some project skill that an analyst should have.

For e.g. understanding project initiation is vital as it allows the analyst to understand define the terms of reference for the project .It is important that the analyst should understand project management planning approaches -he or she will have to work within a plan – and is aware of particularly relevant aspects , such as quality and risk management

3.10 Strategy Analysis

This covers a range of techniques that can be used to understand the business direction and the strengths and weakness of an organization, or part of an organization.

How can I develop my competency?

The first step in developing as a business analyst is to understand the competency required of a business analyst in your organization. This should include an assessment both the current and the future competencies required .The HR department provides an outline definition of the competencies required of the business analyst in the organization. Future competencies are more difficult to assess and depends on the factors such as projects that may develop in future, business issues and technological developments. The organizations may already have a framework in its place or could use the existing framework such as Skill framework for Information Age (SFIA).

There are three ways in which business analysts can develop competencies:

* Training

* Self-study

* Work experience


Class room-based training allows skills to be learned and practiced in a relatively safe environment, with a trainer on hand to support, guidance and encouragement. Computer -based training is also good if the skills to be practiced are primarily technical in nature.


Self-study is an excellent way for analysts to grow their business knowledge. Apart from reading textbooks, browsing publications such as the Financial Times, The Economist, the Harvard Business Review and other technical publications and professional journals will broaden and deepen the analyst’s understanding of the business world.

Self-study is an excellent way for analysts to grow their business knowledge. Apart from reading textbooks, browsing publications such as the Financial Times, The Economist, the Harvard Business Review and other technical publications and professional journals will broaden and deepen the analyst’s understanding of the business world.

Work experience

This provides an opportunity to use and improve techniques and to deepen the knowledge .It is best way a business analyst can develop their behavior skills and personal qualities The performance of most analysts improves overtime as their experience grows, but this can be heightened and accelerated if our if the organization operates a proper coaching or mentoring program.

The Skills Framework for the Information Age

SFIA and SFIAplus are the two major standard frameworks for definition of skills and competencies in the information system field. Both frame works include definition for the skill set of business analysis, define various levels of competency for each skill, and can be used as building blocks for any job role that requires these skills


The description of overall skill set provided in SFIA framework for business analysis is as follows:

In each level defined for business analysis, SFIA provides a more detailed definition of the skills required, for e.g. for level 4 is states:

SFIA plus provides the sane description for business analysis skill set as SFIA, but also

provides details of the following:

Related skill set (in this case, data analysis business process improvement and system design)

* Technical Overview, including typical tools and techniques;

* Overview of training, development and qualification;

* Careers and jobs ;

* Professional bodies;

* Standard and codes of practice;

* Communities and events ;

* Publication and resource.

For each applicable level within this skill set (3-6 in the case of business analysis), detail are also provided under the following heading:

* Background;

* Work activities ;

* Knowledge /skills

* Training activities

* Professional development activities

* Qualifications.

Although SFIAplus provides more detail than SFIA, it is important to realize that the two frameworks should be implemented in different ways.

SFIAplus should be treated as a standard and is not designed to be customized, where as SFIA is intended to be used as a basis for tailoring to an organization.

SFIAplus enables organizations to classify and benchmark their IT skills and to train and develop their teams to meet the defined skill requirements .As a business analyst, this provides a basis for you to gauge where you are against the skills and corresponding level of competence defined in the framework.

The final step is to identify a set if actions that will help your development.

* Seek out assignments that give you opportunities to develop.

* Identify a role model who demonstrates your desired competencies.

* Ask them what is required or ask them to mentor your development or arrange to work for them direct.

* Use training providers to target specifically those areas that need development.

* Consider a secondment to an organization that excels in the required competencies.

* Do your research into specific competencies

* Ask for a regular feedback from your boss or experts.

* Join an industry specialist group.

* Develop as you go and gain from experience. Record what you’ve learned so that you don’t forget.