The ROI for Security Training
Editorial note: I originally wrote this post for the ASPE blog. You can check out the original here, at their site. While you’re there, check out their catalog of online and in-person training courses.
When it comes to IT’s relationship with “the business,” the two tend to experience a healthy tension over budget. At the risk of generalizing, IT tends to chase promising technologies, and the business tends to reign that in. And so it should go, I think.
The IT industry moves quickly and demands constant innovation. For IT pros to enjoy success, they must keep up, making sure to constantly understand a shifting landscape. And they also operate under a constant directive to improve efficiency which, almost by definition, requires availing themselves of tools. They may write these tools or they might purchase them, but they need them either way. In a sense, you can think of IT as more investment-thirsty than most facets of business.
The business’s leadership then assumes the responsibility of tempering this innovation push. This isn’t to say that the business stifles innovation. Rather, it aims to discern between flights of fancy and responsible investments in tech. As a software developer at heart, I understand the impulse to throw time and money at a cool technology first and figure out whether that made sense second. The business, on the other hand, considers the latter sensibility first, and rightfully so.
A Tale of IT and the Business
Perhaps a story will serve as a tangible example to drive home the point. As I mentioned, my career background involved software development first. But eventually, I worked my way into leadership positions of increasing authority, ending up in a CIO role, running an IT department.
One day while serving in that capacity, the guy in charge of IT support came to me and suggested we switch data centers. I made a snap judgement that we should probably do as he suggested, but doing so meant changing the budget enough that it required a conversation with the CFO and other members of the leadership team.
Anticipating their questions and likely pushback, I asked the IT support guy to put together a business case for making the switch. “Explain it in terms of costs and benefits such that a non-technical person could understand,” I advised.
This proved surprisingly difficult for him. He put together documentation talking about the relative rates of power failures, circuit redundancy, and other comparative data center statistics. His argument in essence boiled down to one data center having superior specs than the other and vague proclamations about best practices.
I asked him to rework this argument, suggesting he articulate the business case using sort of a mad lib: “If we don’t make this change, we have a ______% chance of experiencing problem _______, which would cost $_______.”
This proved much more fruitful. We made the case to the CFO and then made the switch.