Sir John Parker, chairman of mining giant Anglo American, recently wrote in the UK Institute of Director’s Business Risk Guide that, “Controlled risk-taking lies at the heart of all commercial activity... [and] the board has the potential to be both a source of risk to the organization as well as an effective means of risk mitigation.”
Secure IT is a key business enabler that forms the cornerstone of many enterprises. For certain
e-commerce businesses, it represents their only route to market. It surely follows, therefore, that security professionals should have representation in the boardroom when it comes to dictating the future direction and success of the organization? However, all too often they don’t.
For example, PwC’s ‘Global State of Information Security Survey 2013’ gives Europe a high rating for employing CISOs and chief security officers but notes that, “these executives report to the top of the house less often than in the three other leading regions”. The nub of the problem is that IT professionals understand the security risks but struggle to get buy-in when it comes to taking pre-emptive action to address them.
The Business Case
Employees with a solid grounding in IT and security understand both the existing risks and new vulnerabilities that will be introduced through the evolution of technologies. Conversely, getting buy-in from business people to address those threats involves translating these IT risks into corporate risks. Only in this way can they be properly communicated to the boardroom audience. The answer is to learn the language of the boardroom and what matters to its members.
An example would be how CISOs go about making the case for a financial commitment to invest in security. The board won't necessarily understand the intricacies of the solution the IT department is proposing to keep systems up and running, but they will take notice if the person in charge of security can compellingly articulate the financial implications of system down time or outline the financial impact of a security breach upon future sales.
Such compelling key performance indicators (KPIs) for the board include: loss of trading due to down time; damage to corporate reputation; potential compensation claims; and the regular six-figure fines we have seen issued to organizations that fail to keep sensitive customer information secure. Pitched in these terms, the up-front expenditure for security solutions becomes much more tangible as an investment.
I believe IT professionals also need to go a step further and push for security to become an integral part of business planning. This provides a much better platform for making informed decisions on acceptable levels of risk and the appropriate budgets for reducing them. It also positions IT as a business enabler as opposed to being a technology provider.
Many organizations only give security the attention it deserves after they have become the victims of a breach. So what practical steps can IT professionals take to improve the situation? The big issue seems to be communication.
Security can often be perceived as obstructing innovation, so it is important for the IT security specialist to focus on strategy. Look beyond the tactical request to the wider business needs, and increase security in the process. So if there is an interest in cloud computing and ‘bring your own device’ (BYOD) to cut costs and enable business agility, explain how associated security risks can be mitigated through effective data management, secure web access and staff training.
Running a secure organization is as much about culture, people and processes as it is about technology. The organization’s most senior decision makers therefore need to be actively involved in ensuring this is achieved. And it is the responsibility of IT directors and CISOs is to develop the effective business consulting skills that will give them a compelling voice at the top table.
Philip Bindley is a Certified Information Systems Security Professional (CISSP) and CTO of The Bunker, a cloud and managed services provider