All the while we have been hearing and believing that ISMS implementation in any organization requires management approval without which it would be a failure. True!!!

For any project in an organization for that matter, management approvals are a must cause for a project to kick-start and complete with desired results, requires resources, budget, tools etc. These can be achieved only if the project manager shows the management that there is value created by doing this project which could favor the organization. The value could be of many ways which ultimately boils down to making profits or avoiding monetary/image loss.

The above typically is considered as a top-down approach. It is, in most cases, difficult to get management approval for an Information Security Management System (ISMS) implementation project, unless it is strongly triggered by the internal management or clients or compliance requirements. Here I would like to mention two different approaches which can influence the management in providing approval and the required support.

  1. Department level implementation
  2. Incident Management

In the department level implementation, we need to identify those departments whose managers understand and have an interest in implementing and practicing information security practices within their department. It would be great if we get a department which is the core to the organization. If not, I think we should just proceed and provide those departments with some sort of incentives in implementing and practicing information security practices. Now the ISO has a job to do. He/She will require understanding and collecting information such as the improvements from implementing controls in that department and how that has helped the department in securing its information. Such information should be propagated to the entire organization which will help other department managers to understand the importance of implementing information security practices and the benefits of the same.

For example: We can always show that there was a virus outbreak in the organization and yes this department was not effected with that virus outbreak because they had implemented anti-virus software and applied strict access controls to their data. The amount of time saved by the department was X days etc. This is just an example to portrait to the management; please do not create a virus outbreak in the organization. J

Another approach would be to talk to the IT department. The language that the management understands is numbers in terms of money. The moment you show them that they will make a loss of X amount due a risk in the organization, they will jump on their toes to see if they can mitigate that risk. The best way to this approach is to have a person in the IT department to just document all the incidents that happens in the organization. This could mainly be IT related, but doesn’t matter. The job of the ISO would be to determine the amount of time lost in bringing back business to normal after the incident has occurred and created the damage.

Let us take an example and get this information.

A development server crashed in the organization: OK. The IT team is on the job. The parameters that can be checked are as mentioned below:

  1. How many members from the IT team is working on this incident
  2. What was the reason for this incident
  3. How much time did it take to recover from this incident
  4. Which departments were effected? How many employees are there in those departments?
  5. What is required to ensure this does not happen again?

Let us answer these questions

  1. Two Server Administrators with hourly charge of $30
  2. Lets say a wrong configuration in the server
  3. It took about 4 hours
  4. Two departments with 7 employees each were effected. They were unable to carry out their work for the time the server was down.
  5. Develop configuration documents and ensure that any configuration change is down with reference to these documents. The Server Administrators need to be trained.

What is the loss to the organization?

  1. $30 per hour with two server administrators working for 4 hours  — $30*2*4 = $240
  2. Two departments with 7 employees with $40 per hour for each employee – $40*14*4 = $2240
  3. Total loss = $240 + $2240 = $2480
  4. Cost involved in ensuring that this does not happen again. I will leave it to you to work it out.. J

I would also probably look at the cost incurred if those department employees have to work overtime to cover the lost time of productivity. This would be an addition of $2240. But let’s not get that deep.

The question that would arise here is “We need to pay the server administrators anyway. So how does it matter?” – Consider if this recover had to be done by a product vendor. We would have probably ended paying double the cost.

But the idea here is to get this cost across to the management who understands these numbers. If such incidents can be captured in an organization and convert the same into numbers, this would be the best way to project to management and get in their approval. In that sense this can be sold even to your department managers and then ask them to implement best practices.