Almost every single IT-Security Managers or CISO faces three core questions when they present their case for budget.
1. We invested in product A last year, how are we doing with that product?
2. How to justify the cost of new products that are required to mitigate the new threat ?
3. Do I really need new product or existing product can be tweaked to mitigate new threats?
These are very crucial questions in getting new budget. Demonstrating the value of existing security solution and conclusively proving that CISO is efficiently securing the organization with limited budget.
To show value of the existing solution you have to show the report on the total threats per quarter being protected by the particular product and solution.
To mitigate new threats , you must know
1. New threats which is applicable to your environment.
2. Once new threats are identified you quickly need assessment of which assets are impacted
3. Finally answer to question 2 will answer which products are required, Do you need to tweak existing products or buy new product?
Automation is of prime importance. No manual processes, every Monday morning you should have simple charts displaying which unprotected new threats you should be worried about.
For example: Company A has Antivirus and they have identified 400 new threats this quarter which are currently unprotected by AV and 50% of assets are at risk. CISO can clearly quantify the total number of threats new Network IPS product or Application whitelisting product will be able to protect the organization and reduce their risk profile.
This is very important, quantifiable matrix to justify product procurement or tweaking of existing product or patch deployment.
Obviously the next question in your mind is, how to automate this ? I don't have budget nor resources to create such solution. In that case I would recommend McAfee Risk Advisor. This product will not help you if you are not McAfee shop. However it is very easy to implement if you are existing McAfee customers with ePO and any one of the McAfee endpoint solution.
As we know numbers never lie ! and as business demands more and more justification for the product procurement, it will be very important for CISO to create automated way to justify the expense on security. Something I would call P&L of Security.
