IT managers do not need to be convinced that security is important: they already know that it’s a business imperative. It’s the CEOs who need to be persuaded. As the 2004 edition of Ernst & Young’s annual Global Information Security Survey revealed, only a fifth of respondents agreed that their organisations perceive information security as a CEO-level priority.
So why is security a CEO-level priority? If it were simply a matter of technology, then it would be much lower down the list. But security is also about policies and ensuring people do the right thing every time. This requires the right culture and environment - and management buy-in. The CEO won’t stop a hacker or deflect an incoming virus, but he can minimise the problem of user error – and make the controls in place far more effective.
Of course, security can be a hard-sell – something the company might need one day, rather than something it must have right now. As any salesman knows, doom and gloom does not shift product! So instead of focussing on the negative – the ‘what if’ scenario – we need to explain the positive: how security adds value.
For example, the benefits of mobile and flexible working are now widely recognised. But it is effective security that will make sure they will be realised. Equally, collaboration in the extended enterprise - another big trend - relies on comprehensive security in order to work effectively.
These are just two examples. Whatever the nature of the organisation’s business, there will almost certainly be a way in which security enhances it. Making it clear that security helps the CEO do his job better by making the company more successful is the best way to get it on the agenda.
One of the problems faced by security experts is that there is often a fundamental misunderstanding at the highest levels. Once the CEO’s attention has been caught, it’s then a question of explaining what the threats are and where they come from: user communities are a far bigger problem than anti-social teenagers or sinister men in dark glasses. Making security a more concrete reality in this way provides further evidence of the added value that it provides.
At this point the language used becomes important. Convincing the CEO of the benefits of security illustrates exactly why security specialists need to be able to operate effectively in both the technical and the managerial fields.
CEOs speak the language of business strategy, not technical gadgetry, and security experts need to do the same. That means discussing actual benefits that will be realised, rather than theoretical ideas. To do that effectively, security professionals should understand what the CEO’s top priority is. Generally speaking it’s profitability for a private company; shareholder value in a publicly listed one; and balancing the budget in the public sector. These are the points of reference to be born in mind.
Research shows that most senior executives still think about security breaches in terms of disruption and annoyance – not in terms of cost. So the value of the goods at risk – in this case intellectual property, company productivity, and reputation – needs to be quantified.
There are plenty of research papers out there to help. But even more impressive are statistics based on the individual company’s circumstances. There are useful models within the insurance business – such as calculating consequential losses - that can be drawn on to help calculate and explain the costs of business interruption.
There is also a growing need for security experts to have an understanding of the legal situation, since the role of security in legislative compliance also needs to be explained. Most organisations operate within the parameters set by a number of national and international regulations, laws, and codes of conduct, that can carry severe penalties and even personal liability for the chief executive.
However dashing off to law school, or taking up actuarial training is not necessary. Most of this boils down to risk - something both the security teams and the CEO understand very well.
Preparing a comprehensive risk assessment places both parties on familiar ground. Backed up with the relevant benefits analysis, financial data, and projections for the impact of future business plans, it can be a pretty powerful tool couched in exactly the right language.
A comprehensive risk assessment will also help address one of the other major challenges: the fear of inflexibility. Many CEOs are concerned that stringent security measures will create an environment in which creativity is stifled and the ability to respond swiftly to circumstances is severely curtailed. This is why the risk assessment and the financials are so important – to prove that the intention is not to create a virtual Fort Knox.
The final point in helping the CEO run a secure and compliant ship, is to persuade them that security is not something to be implemented and forgotten about – it needs to be monitored, reviewed and updated where necessary. And that requires regular dialogue at senior level.
Scaremongering will not help the CEO, and it will not help secure the organisation. On the other hand, a combination of positive messages, expressed in business language and accompanied by financial data and comprehensive risk assessments will work to everyone’s advantage.
Ray Stanton, Global Head of BT Security Practice, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.