Can information security increase revenues, increase customer loyalty and solve other business problems?

Published on August 03, 2015

Can information security increase revenues, increase customer loyalty and solve other business problems?

Typically, information security is “sold” (by manufacturers to customers, and by IS / IT services to their management) under the guise of combating fear (leakage, virus, DDoS, etc.) or fulfilling regulatory requirements (FZ-152, 382-P of the Bank of Russia, 17th order of the FSTEC, 378th order of the FSB). This is a traditional view of security and its means. If you look at the descriptions of many products, we will see that this is how they are positioned. It’s understandable - these are universal drivers that do not depend on the company that is offered to buy a firewall, Internet access control tool, antivirus, intrusion prevention system or something else. And it is true. Cisco ASA Firewall with FirePOWER Serviceswill equally fight against unauthorized access, in Russia, in Australia, in the UK. And the system of monitoring abnormal activity within the Cisco Cyber ​​Threat Defense network will also effectively detect malicious code that bypassed perimeter protection in the United States, Ukraine, and Norway.

The compliance situation requires a bit more focus. Obviously, the 17th order of the FSTEC on the protection of state information systems is a purely Russian invention, but applicableto all state and municipal institutions of our vast Motherland. And the legislation on the protection of information in automated process control systems, although there is in many countries of the world, but still it is different from each other. The requirements of the 31st order of the FSTEC and the NERC CIP standard, the ISA / IEC 62443 standard and the Qatari standard for the safety of critical infrastructures are albeit essentially similar, but different in terms of, for example, conformity assessment, and therefore the solutions proposed for their implementation should already have their own specifics.

But here we come to the conclusion that in the current difficult economic situationthe company's management is not interested in compliance, since if it is not fulfilled, if it is punished, it will not be much. Not much compared to the question of the survival of the company as such. And threats are sometimes mythical. And certainly they are not so scary compared to the threat of bankruptcy of their own and counterparties, denial of credit, currency fluctuations and other more business-oriented threats. Therefore, the third driver of the advancement of information security technologies - economics and finance - comes to the fore. It is with their help that it is possible to show how security solutions can help increase the company's profit, reduce costs, increase customer loyalty, accelerate the release of products and help achieve other business tasks.

If you think about it, then the economic / financial justification does not replace, but rather complements the two previous ones. You just want to take it one step further. For example, a DDoS attack. You can simply frighten its consequences (not to mention which ones), or you can try to reflect on and explain to the management what the DDoS attack leads to. To downtime! And downtime is money. Money lost (we pay salaries to staff during downtime). Unearned money (during downtime, we cannot provide services and sell goods). Additional money spent (to restore the system to the pre-attacked state). And what is the failure of 382-P of the Bank of Russia? This is not only an order to eliminate violations by banking supervision, it is also, potentially, suspension of activity and even revocation of a license to provide banking services (fortunately, so far there have been no such examples). And again, from a understandable threat, we were able, having made a small effort on ourselves, to transfer information security into the language of finance and business. And there are many such examples when IS threats affect precisely business indicators.

Since we were able to talk with business about information security in the language of money, then we can shift this language to the product line. Get away from the technical characteristics of products in the direction of their financial effectiveness. Here is just one example - the solutionfor protection and control of Internet access from Cisco. On one side of the scale, we have ... no, not the number of threats on visited sites, and not the number of leaks prevented via Web-mail. We are talking about information security from a business perspective. Therefore, we will talk about productivity, or rather its loss from visiting unnecessary sites for work. And we can also talk about violation of anti-piracy law and downloading pirated content at the expense of the company, which clogs the Internet channel and prevents customers from reaching our Web site or sending us important mail. And all this is simply translated into money, which we put on one side of the scales. We have another choicebetween a range of Cisco solutions - Cisco Web Security Appliance (WSA), Cisco ASA with FirePOWER Services, Cisco Cloud Web Security (CWS), Cisco FirePOWER Threat Defense for ISR. It is enough to compare the two amounts and understand whether it is profitable to invest in Cisco solutions or not.

And there are many such examples. Specially for demonstration of various options for financial substantiation of the effectiveness of using Cisco information security solutions, we prepared and voiced a presentation and posted it on our corporate channel on YouTube. It describes 10 different scenarios demonstrating how Cisco solutions (Cisco Web Security, ISE, VPN, Cisco Capital, Cisco Email Security, Cisco TrustSec and others) can be demonstrated not in terms of threats (we are fightingwith a large number of them), and not from the point of view of compliance with legal requirements (here we also have something to tell ), but from the point of view of financial efficiency and the implementation of business tasks.

In the end, our task is to look at information security not only from the point of view of the traditional - threats and regulations, but also from the point of view of finance. On one side of the “financial balance”, we will have losses from the failure to implement protective measures (fines, downtime, the cost of investigation and recovery, the outflow of customers), and on the other - the business benefits received from the implementation of protective measures (reduction of the transaction cycle, geographical expansion, new sales channel, customer loyalty growth, revenue growth).

And then our chances will significantly increase not only for acquiring the necessary security solutions, but also for our own growth within the company. Management is always pleased to communicate with peers who understand the needs of the business, and not with people who just do that blocking access to the Internet and reading someone else's correspondence; namely, information security is often perceived in many enterprises.

PS. Link to the presentation -