Making a Case for Information Security Investments

Program gives information security professionals tools to protect their firms.

Less than a decade ago, information security was a niche concern for a cohort of IT professionals who mostly kept to themselves within their organizations. But times have changed. Never mind the recent front-page headlines about the Chinese government hacking into U.S. corporations, or the Twitter accounts of major firms being commandeered by the infamous Anonymous and LulzSec hacker groups. Information security experts have known for years that they play a more vital role in the well-being of their firms and this is now more true than ever before.

With the increased importance and responsibility of information security professionals comes a need for new skills. More and more, such professionals are called into boardrooms and C-suites to explain the need for investments in hardware and software, expected to teach employees about risky online behavior, and to have a voice in discussions about new processes across their firms.

Business Engagement and the Information Security Professional (BESP), an innovative execution education program at Tuck, gives participants the tools to do their jobs in this new world of ubiquitous and potentially expensive cyber threats.

The weeklong program, taught at the Tuck campus, is organized around the themes of finance, risk, peer learning, and communications and leadership. It was conceived by Hans Brechbuhl, the executive director of Tuck’s Glassmeyer/McNamee Center for Digital Strategies and is taught by a group of distinguished Tuck faculty members who are leaders in the fields covered by the program.

For Kevin Daniels, a senior information security manager at eBay who attended the program in 2011, mitigating information security risks is a two-step process: identifying the risks, and then figuring out what to do about them. “The second step involves converting the security risk into a financial risk,” he said, “so that our business units can better understand them and prioritize which ones to fund. That’s been a really key thing I took away from the training.”

Ramachandra Hegde, the chief information security officer at Praxair, voiced a similar sentiment. “At the end of the day, there’s nothing that’s just a security risk,” he said. “It’s all business risk.” That means information security professionals have to be fluent not only on the technical side of their jobs, but also in the financial language that senior managers use when making business decisions. “This course, with its grounding in finance, communications, and risk helps information security leaders to better express security risks in clear terms that senior business executives can understand,” he explained.

But even for information security professionals, calculating risk can be a challenge. To address this, the program includes a session that leads participants through a Monte Carlo simulation around whether or not to encrypt laptops. The case analyzes the probability of financial loss if someone in a firm loses a laptop, and uses a mathematical model to better understand the $500,000 expense of encryption.  “It was a nice, tangible real-world example,” said John Holland, the chief information security officer at Credit Suisse. “I used that back in my own organization to calculate return on investment for a couple of more challenging security funding requests I was looking to put forward. It was effective.”

Perhaps more often than they ask for money, information security professionals ask for cooperation from other employees to reduce information security risks. “This isn’t a job where you get to dictate how things are done,” said Brechbuhl. “You have to cajole, influence, make a case.” For this reason, the program includes sessions on communications, taught by professor Paul Argenti, and leadership through influence, taught by professor Pino Audia, the faculty director at Tuck’s Center for Leadership.

Hegde found those sessions especially helpful to his practice. “More and more, I’m trying to set a direction by influencing, educating and changing user behavior,” he said. “I’ve learned that it’s much more effective to do that when you are nudging users—for instance, by changing defaults—or by gradually helping them better understand the issues. It’s much more effective than making system changes that are so difficult the users either get frustrated or find a way around them.”

Not all of these skills come directly from the lesson plans in the classrooms. Others come from the peer-to-peer learning that happens each day. Every morning and afternoon, the sessions begin with a 10-minute presentation on best practices from the participants. They then vote on which ones to discuss more in-depth during a working lunch on the last day. With participants from a variety of backgrounds, these meetings are always instructive. “I don’t get to talk to someone from Bechtel or a pharmaceutical company on a regular basis,” said Holland, “and the reality is we’re all trying to protect intellectual property. If this had been a course with just information security professionals from the financial industry, I would have gotten less value out of it.”

Brenda Bjerke, the director of information protection at Target, also found a lot of value in the peer interactions, both for benchmarking and learning new security strategies. “Some of the companies had different tactics for awareness, which I thought were interesting,” she said. “Information security is an ever-changing environment, so we’re always monitoring our colleagues practices to adjust appropriately.”

To continue the conversation when the program ends, Brechbuhl has set up a LinkedIn page for alumni. It has proven an easy way for the participants to stay in touch and keep learning from each other. “Several of the participants came from fairly mature information security programs,” said eBay’s Kevin Daniels, “so it’s been nice to have them as a resource to bounce ideas off.”

Participants will represent the following companies: