The biggest challenge which IT Managers worldwide are facing today is how they can successfully convince their management & employees that information security is actually an “issue” and should be viewed seriously to avoid complexities and unwanted consequences in the future. Although the sensitivity & awareness towards information security has grown over the past years but it is still remains a difficult challenge to actually “sell” information security first to the management and then to the staff.
Even if you have ever tried to sell this idea, you must have faced tough questions like how much does it cost? How much time will it consume to have a proper information security management system in place? What will be return on investment in case we decide to implement the system? Etc. Many of you may have faced a situation where your management may have turned down your business case just because the implementation cost is too high and too complicated. However the management cannot be actually blamed for taking such a decision as their ultimate responsibility is profitability of the business and eventually they need to strike the right balance between investment & benefit.
So, being an IT Manager it may be a daunting task for you to convince the management that information security implementation is an actual requirement of your organization and hence needs significant attention. This implies that you need to do a thorough homework before proposing an information security solution to your management and hence to secure sufficient investment for this purpose.
Preparing a business case is eventually the first step for you as someone who is willing to propose the management. A business case is a tool that helps to plan and to make decisions, including decisions regarding the opportunities, choices and the right time to start a (sequence of) action(s). However before developing a business case, you should do a detailed homework and brain storming as against the following:
- What is the purpose of the project?
- To what need of the users will it respond?
- What are the solutions available in the industry?
- How much does it cost?
- What are the risks, constraints?
- How to tell if the project will be a success?
- How to explain to employees, customers, partners…?
- Who will be responsible for this project?
Based on this homework, you should develop a business case. Always remember to include answers to all above mentioned questions because this information serves as the basic source of drawing meaningful conclusions by the management. Ideally speaking, your business case must contain the following parts:
- The goals or objectives of the project
- Alignment with business strategy and value which it will add
- The various options that were considered
- The solution chosen
- Expected Benefits – Desired earnings, roadmap for results, financial benefits (depending on outcome), value of quantified benefits, financial scenarios, cost / ROI, risks / costs of not acting, project risks (for the project itself, for the profits and for the business)
- Industry trends
- Budget – Project controls, financial plans, etc..
- How the project will be implemented
- The resource requirements of the project
- Preliminary Scope – Action framework, perimeter and boundaries, prerequisites
- Critical success factors – material and human resources, context
A good business case hence must show what benefits can be expected as consequences of a decision on a given period. More importantly, it should also include methods and logic that may lead to the quantification of benefits. The most common benefits which you can highlight may include Regulatory compliance:This point alone often shows the quickest “return on investment” especially in case if your organization is supposed to work under tight regulatory & statutory frameworks e.g if it is a financial, health or government organization. Hence the organizations which must comply to various regulations regarding data protection, privacy and IT governance, then ISO 27001 can definitely be a good selling point for you.
Gaining the marketing advantage:In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you. ISO 27001 could be a unique selling point, especially if you handle clients’ sensitive information. Business which is always sensitive towards competition can find it a fairly good reason to implement ISO 27001 as its USP.
Savings on the cards: Information security is usually considered as a cost with no obvious financial gain. However, there is financial gain if you lower your expenses caused by incidents. You probably need to explain this point in simple language by giving some real time examples of your own organization e.g. what if you do have an interruption in service, or occasional data leakage, or disgruntled employees, or disgruntled former employees hurt you? As a matter of fact there is no mathematical formula or technology to calculate how much money you could save if you prevented such incidents. But it always makes your business case fairly strong if you bring such cases to management’s attention.
To conclude – ISO 27001 could bring in many benefits besides being just another certificate on your wall. However, you need to be very articulate and be able to present those benefits in a clear way. If you do so, be rest assured that your management will surely start listening to you.
For comments & feedback: firstname.lastname@example.org