Last week I participated at a Cisco-sponsored round table of infosec executives and managers. Although I’m not one at the moment, I used to head security at Amazon.com. I still travel those circles as a consultant and speaker.

The topic regarded ways to get funding for security initiatives. How’s this for cool: one of the speakers was Tom Nicoletti, current venture capitalist and former CFO, who over the years had seen many a security purchase order cross his desk. From the sound of things he had signed precious few. After I heard him out it was pretty clear why. Nearly made me wish I could turn the clock back to my former purchase ordering days.

Here were some of the collective takeaways:

• First and foremost, have a crisp layman’s response to: What problem are we solving? Stutter and you might leave worse off than you entered.

• Whatever your case may be, make sure it’s understandable with a single slide and under five minutes.

• Be aligned with business drivers and company culture. (Ever succeed at going against the grain of business?)

• Speak in your company’s business dialect. “This product will help keep those freakin’ bad guys out next time” is a far cry from “This product will enable us to meet our availability objectives in the face of another revenue-denting distributed denial of service attack during peak website traffic.”

• Speak to your initiative’s tax benefits, assuming it has an R&D components that qualify.

• Timing is crucial. Except in the most dire circumstances your initiative must be capex-friendly, something that usually oscillates on a schedule, and always correlates to stock price.

• Never pitch the best case results scenario. If you achieve it, great, you’ve over delivered. Pitch two cases: likely and worst. If the worst is no better than what you have today, then by definition you don’t have an initiative.

• Play the policy card when you really, really need to, treating it as a rare trump. “Our policy says we encrypt all company laptops. If we don’t do it now, we’ll need to downgrade the policy.” Don’t have front-and-center policies backing your initiative? Then quit writing purchase orders and start writing policies.

Related posts:

1. Security Policy Nirvana: Voluntary Enrollment
2. It is Hard to Do as He Says, When You Have to Ignore What He Does
3. Neupart expands in North America
4. Carly Fiorina Poised to Ruin CIA
5. Microsoft Released “The Threats and Countermeasures Guide”

Posted by Larry J. Hughes, Jr. on Tuesday, September 18th, 2007, at 11:06 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.