The idea of selling security to an organization is one that may be easy or difficult based upon a number of factors both

internal and external. The success of selling security to an organization and securing the necessary resources for accomplishing the mission that is tasked to it may be based upon the overall financial health of the organization, the organizations past history with security related issues such as workplace violence, how much the organization is losing due to theft each year or where the organization is physically located. The risks of not investing in security within an organization have to work to counter the perceived downside of the costs of budgeting for security. While a companys budget makers may acknowledge the risks that the organization faces, the current economic situation may cause an organization to make cutbacks in security as they take a head-in-the-sand approach to security issues, figuring that the chance of something happening is outweighed by the cost of trying to prevent it (Barriero, 2012). I think that the single most important way of selling security to an organization is by conducting a thorough and accurate risk analysis and assessment. Risk analysis and assessment as defined by Sennewald is very simply determining what risks the organization faces and how likely the organization is to be impacted by these risks (2011). In the analysis phase the organization can easily be broken into four main areas, people, facilities, reputation and property to be protected by the security division. These assets are then looked at from the perspective of what the risks are that they face. These could be things such as theft, natural disasters, internal thefts, fire or terrorist attack. The process of risk assessment is the likelihood of an incident taking place as well as a projection of the potential loss that an organization faces if this event takes place (Stoneburner, Goguen & Feringa, 2001). This process allows the security manager to lay out the vulnerabilities that the organization faces in a clear and organized fashion and gives the manager a starting point in determining the requirements of the security division. The process of identifying risks and their impact gives rise to the next part of selling security to an organization and that is developing a plan for mitigating these risks. While it is important for a security manager to identify the risks that face the organization they must also develop a plan for mitigating these risks. This mitigation plan should involve both the prevention of the risks as well as plans to lessen the amount of loss in the event of one of these incidents taking place. Risk mitigation can take many forms but could include training, additional staff, technological resources or policy changes (Sennewald, 2011). The mitigation plan could even involve all of these forms to properly reduce risks and their impact. A good example of a risk that could involve a multifaceted mitigation plan is fire safety. Risks from fire can be expressed in both financial and human terms. In order to mitigate these risks a plan could take the form of fire drills, policies regarding the storing and disposal of flammable materials, improved fire detection and suppression systems. This example could be used for internal and external thefts, hazardous materials incidents, bomb threats or labor unrest. The establishment of mitigation plans then allows the security manager to develop a budget based upon the mitigation plan and the requirements of the plan as they fulfill the overall goals of the company. The final part to selling security to an organization is through proper presentation. While it is imperative that a proper security assessment and risk management plan be conducted, staffing levels be determined, training needs assessed and technological tools be determined without being able to

properly present the plan to management it can all be for nothing if the needed budget is not secured. There are a number of things that the security manager must be able to do and to remember when presenting this. According to Barreiro the most important part of this is to know the audience you are dealing with. If they are not familiar with security operations do not overwhelm them with trade jargon and slang instead talk about security operations in terms of dollars and cents added to the companys bottom line. He also advises against what he refers to as fearmongering or in other words the Chicken Little Syndrome. A security manager may find that harping and concentrating on risks too much may desensitize management to the real risks that are out there. Like Chicken Little yelling the sky is falling when the sky actually starts to fall no one may take the security manager seriously due to too many false alarms (2012). It also can not hurt the presentation of the security plan and budget to take the time to make the security department and their operations personally known to managers within the company. It is one thing to talk about the need for a new secure entry system in a board room but it is an entirely different matter to take the time to show managers how the old system works and how the new system will improve upon the current technology. By taking the time to not just talk about, but to give a hands on demonstration of the hardware and programs this should give them a better understanding of the important role that security plays within the corporate structure and how it is an asset not a debit to the company (Sennewald, 2011).

Barreiro, A. (2012). How to sell information security to management. Retrieved from: http://www.techrepublic.com/blog/security/how-to-sell-information-security-to-management/7244. Sennewald, C. (2011). Effective Security Management. Burlington, MA: Butterworth-Heinemann. Stoneburner, G., Goguen, A. & Feringa, A. (2002). Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30). Gaithersburg, MD: National Institute of Standards and Technology.