One of the things that continues to surprise me as I work in security consulting is the extraordinary amount of businesses that struggle with IT security.

It’s not because the IT staff doesn’t have the knowhow – everyone I talk to, at every company I visit, knows exactly what should be done. The obstacle is that the people who run those companies aren’t going to spend money or hire people based on ideals. Consider the number of times you’ve heard or said this:

Engineer: “We need <product x> so that we can protect our network from the bad guys.”

This is generally followed by a technical description of what could feasibly happen if a bad guy broke in. And how often does that product get implemented? 1 in 5? 1 in 10? Or does it get my favorite response, “Why do we need another product when we already spent all that money on a firewall?”

When it comes to making a business case to management for improving IT security, there are two major problems with explaining things that way:

1. No one is interested in “the network.” Management isn’t interested in protecting a network, and hackers aren’t interested in the controlling a network. Both groups are interested in the data and where it sits, but only interested in the network as a means to get to the data.
2. Explaining the solution is one thing, but once you’re explaining the problem it becomes nothing more than an abstract concept. Abstract concepts don’t get tangible dollars.

The first of these is pretty easy to solve by narrowing your focus. Don’t worry about trying to protect everything – it’s going to feel too big and your audience is going to go glassy-eyed. Start to look at what’s actually valuable and worth protecting. That personally identifiable information (PII) in your database… Your backup tapes… The systems that run your main business app… Aim to protect those. And limit yourself to talking about protecting those when you’re speaking to management because it means something to them.

The second problem is a little tougher to solve. Take a look at how you’re monitoring, auditing, and alerting. Need a load balancer? How do you know? Do you have data to show that the servers have been unresponsive over the last few months? Need an IPS module for your firewall? Again, how do you know? Can you (or a 3rd party penetration tester) compromise a machine through your existing firewall?

That kind of data is what it takes to go from describing the possibility of a problem to showing management that “right now there is a problem.” It’s the kind of information that management can act on because there’s no uncertainty. Better yet, it keeps the IT department focused (in both money and effort) on what the real security problems are in the organization. And once the solution is in place, the updated data gives a way to show management that the problem is fixed.