This is the age of hacktivists and terrorists, and –ists of every malicious ilk, yet many businesses continue to rate IT security on par with housekeeping -- a necessary but costly activity beneath C-level executives’ notice.
But, given recent, constant and costly security breaches of the past 18 months or so, it is imperative to move security to the forefront of business planning as a matter of survival. For many CIOs, the problem is convincing their companies to look at security in this new light. But there are ways to get the message across more fully.
“Make the case that an ongoing ‘security delta’ should be added to the current IT budget for legacy applications and make the business case for new applications,” advised Jim Leach, vice president of Market Development for Harris Corporation, an international communications and information technology company. “Justify the spend using the drop in stock market valuation for the publicly traded companies that are fighting off cyber terrorists.
“Remember, a one-time budget initiative will not secure your IT systems on an ongoing basis,” he warned.
It is imperative to point out that failure to recognize the full impact that security issues can have on a company’s worth may lead to the sudden demise of an otherwise profitable venture. Examples are plentiful: The prolonged attack on Sony is costing $171 million and counting and the TJX breach cost $256 million dollars to remediate. These two incidents (and there are plenty more) easily illustrate that security must now shift to a higher level in business planning.
“Cyber security has become bigger than a risk/reward or return on investment analysis can convey,” said Ben Benjamin Wright, an attorney, SANS Institute Instructor and author.
“It’s now mission critical,” he explained. “From the perspective of a board of directors, achieving genuine security is like hiring a top executive: Do it right and the company thrives. Do it wrong and the company suffers dearly.”
Whenever Alan Wlasuk, CEO of 403 Web Security, a company that specializes in Web security development and testing, speaks about bringing businesses into the security fold he likes to relate a conversation with a fellow IT associate who insisted his current approach to security was plausible deniability.
“My associate, a software development consultant, stated his current approach to security was to avoid any conversation about the security of his product,” he said. “If/when his work product was hacked, he could stand on the premise that, to the best of his knowledge, he had provided a secure product."
"At least in the past, his ostrich approach worked -- his clients, large and small companies, hardly ever asked about security.”
This certainly isn’t cutting muster now.
“With the huge numbers of media, visible security breaches in the last year, however, businesses are asking their internal and external IT teams to consider security as part of the specifications of any IT product,” said Wlasuk.
And that new demand for security to be part of product specifications is another point for CIOs to hammer home in the business case for added security measures.
Security as a brand differentiator
“Quite frankly, any money companies spend which doesn't contribute directly to the bottom line is seen as an expense and a nuisance,” said Matthew "ROI" Stern, founder of The CIO Source, a firm that provides CIO services to several small and medium sized businesses. “From general security issues to compliance, it's all seen the same. The only time I've seen it become a priority is if they have a leg up on the competition and they can use this in their marketing.”
And therein lies the last great argument a CIO can use to move security to the forefront of business planning. Not that any company can or should boast of 100% infallibility; to do so would simply invite attacks. However, security can be used as a brand differentiator without ever making such a foolish claim.
“Only a few companies, in very specialized industries, can use an internal superior security position as an opening branding differential,” explained Wlasuk. “But any company can shine in an industry environment where the majority of their competitors have suffered from confidence destroying security attacks.”
If the CIO makes a comprehensive business case for security as both profit protector and profit generator, then the rest of the C-suite will come onboard.
When the CIO takes such a lead in the company’s overall strategy, the CIO “has transitioned from a firefighter to a rainmaker,” said Marc Gaffan, vice president of Business Development at Incapsula, a website security provider.
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).