The costs of lost data due to human errors is almost 30% according to Pepperdine University, (where 40% is attributed to hardware failure, and software corruption/viruses amounts to only 19%). So how do you get your CEO to understand that security and the ‘soft’ element of awareness raising is crucial for business, and to open the corporate coffers for investments? The ENISA paper points out obstacles and challenges to obtain support and funding from senior management and provides practical advice on how to overcome these issues during the planning and implementation phases of an information security programme.
Five areas are identified as being crucial to obtain corporate security investments, in brief:
1. Define the investment rationale and the right stakeholders.
2. Build a persuasive business case to make senior management better understand the value of the investment to obtain funding and commitment.
3. Estimation of programme costs: allows organisations to identify the most common expenses which may incur and make rough estimates.
4. Linking business benefits to an information security initiative, define and calculate performance metrics.
5. Detail a typical path to face a corporate executive in a senior management briefing. Effective communication is critical: the right information should be delivered at the right time, in the right manner, preferably 6-12 months ahead the project.
The Executive Director of ENISA, Mr. Andrea Pirotti analysed: "Making CEO’s understand that security is crucial for business and a corporate matter, not merely an ICT issue, is key, but not a trivial exercise. This is a guide for European business how to anchor the Return Of Investments in security and make it to a business case."