Seeking the highest levels of security is not only the right thing to do, it also makes financial sense long term. Most CIOs and senior managers would claim that security is their top priority, particularly when we see recent breaches at TalkTalk hitting the national news, not to mention many other household names that have suffered hacks that seriously damaged customer confidence, reputation and brand value.
Security should never be an afterthought, and according to Diane Myers, who is Principal Analyst with Infonetics, it is the top criterion for buyers of cloud communications. It seems that security is the most important concern among enterprise IT decision-makers, and this surely suggests that companies that do security well could find themselves at a competitive advantage over their less-secure rivals. So how do you go about getting your company to really focus on getting security right?
Think about it – simply doing a better job at addressing security problems could provide a competitive advantage. Organisations that are able to sidestep security issues often perform and operate better in other ways. This is because they’ve evaluated their processes and thought through how they can improve them. By instilling strong security processes they avoid the fines, wasted time and loss of reputation that their less security-conscious peers suffer. They also avoid the time wasted later, when the long term impact of poor decisions and looking the other way become critical because they have festered for years.
Getting management to buy-in
For security and compliance directives to work, they need to come from the top, so it is imperative that you have the support of upper management. They need to make a long term commitment and understand that it will take resources and reinforcement of good behaviour, which may include the exposure of bad practices – to ensure that the commitment sticks and is inherent across all business practices.
The key to this is quantifying the negative financial effects of a breach, and the positive effects of being an industry leader in the field, or providing the highest levels of security built-in to products or services. For example, at 8x8, we were able to turn our compliance with stringent industry requirements such as HIPAA, FISMA, PCI-DSS and Safe Harbour laws into an advantage in the cloud communications arena. None of our direct competitors advertise that they comply with all of those objectives, which is understandable, because it requires a lot of work – but it has paid off for 8x8 in many business deals. We now regularly use our compliance as a unique competitive advantage.
An action plan to get you started
Set up a meeting with senior managers and follow these points:
- Summarise any recent security incidents – at your company or companies like yours – and talk about the potential for losses from such incidents in the future. You need not have actually suffered a loss – you can talk about what might have happened if circumstances had been a little different.
- Discuss the impact, root cause and economic benefit of avoiding recent incidents.
- Present a short, high-level summary of your plan to raise the level of awareness of security, compliance and their value to the company.
- Talk about what reasonable goals might be - both for the overall company and on a department-by-department basis. Department directors are usually more willing to support goals that align with the things they’re already being evaluated on. For example, an IT goal might be to reduce the number of successful phishing attacks, or reduce the number of unsecured desktops at the company. A customer service department might have goals concerning the detection of social engineering attacks by people impersonating legitimate customers. (A good VoIP phone system or contact centre software can help to achieve this goal, since they integrate with CRM systems such as NetSuite and Salesforce and match the incoming phone number, automatically popping previous contact information to the phone or screen.)
- Talk about quantifiable training objectives. Most security and compliance standards - including Sarbanes-Oxley, HIPAA, FISMA, Cyber Essentials and the EU Data Protection Directive - have explicit training requirements. Present a roadmap explaining how you propose to get there.
- Paint a picture of what success looks like - and how you might leverage a more secure, compliant company as a business improvement. Could you use improved security in advertising campaigns? Could you reduce losses and improve the bottom line? Can you use your plan to cut costs?
Most people who go in prepared - and can talk about security and compliance’s effect on the bottom line - are able to get top management to embrace security and endorse a long term plan.
Mike McAlpen, Executive Director of Security and Compliance at 8x8