CISO To Channel: Sell Cybersecurity By Pitching Business Benefits


For Thatavarthy, the goal at Haemonetics was to ensure that security was a key part of the company's infrastructure improvement plans. The company needed to replace legacy firewalls that were severely inadequate. Instead of focusing on firewall security benefits, Thatavarthy said he focused on the benefits of increasing the company's sluggish network traffic speeds and how faster access to cloud applications could boost employee productivity. The implementation greatly reduced latency between the company's headquarters and its global locations.

For a bid to get the company to embrace laptop encryption for better data protection, the company bricked four laptops during the testing process and could not recover the data. It had no backup and recovery strategy in place, Thatavarthy said, and saw the business value of always having an available cloud-based backup.

Employees also were constantly fumbling with multiple passwords to get into more than a dozen cloud applications and myriad databases. Different provisioning models had many staff engaged in role creation and removal of employee access when they left the company. Thatavarthy sought to solve the company's authentication issues by implementing single sign-on and identity management. He got buy-in for SSO by focusing on the business benefit of fast, automated access granting without the need for an ad-hoc approval process.

Modern VPN capabilities were established that also provided better performance and were easier to use. A partner catalog was established mainly to provide more secure remote access for partners and disable inactive accounts, but the business value was connectivity improvements for business partners and vendors.

Building relationships in all areas of the company was a key part of getting the funds to provide data protection and improve efficiencies, Thatavarthy said. Changes wouldn't have been as broad if security simply demanded an investment in security from security executives, he said. There is nothing more valuable than being able to explain to the board of directors the business value that security provides to the company, he said

"Being in security, you always need to be technically savvy, but at the same time being able to communicate in nontechnical and business value terms is very important," Thatavarthy said. "No one has enough budget for security except for the guy who sat next to me with a $100 million budget, and he’s still unhappy."

PUBLISHED MARCH 27, 2014