Getting money to invest in information security, in the absence of a major breach, has always been a challenge. Part of the difficulty can be overcome if information professionals learn to frame the discussion in terms of an organization's tolerance for risk, writes Mathew J. Schwartz in an article at InformationWeek.

CIOs need to gauge business leaders' appetite for risk before discussing technology or recommending a certain level of security.  "If you're OK with losing 100,000 records, then I'll build the capabilities to deal with that," is one way to put it, says John P. Pironti, president of the risk and information security consulting firm IP Architects. 

In addition to knowing how much the business is willing to risk, you also need to be certain what data you have and where it resides, which can be done by taking inventory of assets and mapping business processes, Pironti advises.

Cloud computing presents a new set of risks, and most of those risks appear to fall on the shoulders of the customer at this point. Centralizing vast amounts of data in one place gives cyber crooks an opportunity to inflict widespread damage by compromising just one provider's system--illustrated recently by the breach at Epsilon.

Before recommending any security technologies, figure out how the business prioritizes its risks. In other words, develop a risk management program rather than an information security program. That way, the investment matches the priorities of the business.

"[I]nside a business leader's mind, 'security' equals cost and prevention. But once you talk risk, it's back under their control. You'll get the budget," Pironti says.

For more:
- see Mathew J. Schwartz's article at InformationWeek

Related Articles:
Are chief risk officers encroaching on your job?
Three data breaches that underscore human error
How to really know your security risks
Eight steps to risk-oriented security