The IT department must convince the CEO and senior business leaders that security breaches pose a significant risk to the business and can potentially be very damaging, not only to business continuity but also to competitive advantage and the company's reputation. Members of the board must realize that they have to get security right first time.
The CEO would certainly react if someone physically tried to break into his house or office building, but every day countless people are trying to gain unauthorized access to a company through the IT infrastructure. But all too often the CEO does nothing about it because he either doesn't know, or he simply doesn't see these people as a threat to the business. He knows they have firewall and anti-virus systems, so why should he worry?
Although he doesn't see these people as a threat others increasingly do. It is interesting to see that insurance companies are now refusing to include corporate IT security breaches within their core policy. Obviously they are seeing more breaches and more claims being made and so they are taking steps to limit their exposure.
Business leaders don't need to be directly involved in IT security, but they do need to be aware of the main threats posed to the business from a security breach, as it is they who are ultimately responsible if, for example, the company breaches the Data Protection Act (or other equivalent legislation) through poor IT security.
The board must appoint a senior person responsible for IT security, a CSO or IT director to advise the leadership team. The CSO / IT director needs to understand their organization's business objectives and map how potential breaches will affect the stakeholders. Once they have this information, they need to communicate this in a way that the business leaders can understand.
One of the CSO or IT director's biggest battles is to beat the 'ROI measurement'. Security is a preventative tool and ROI is very hard to measure – if it all works then you'll never know how much money you could have lost.
In order for the CSO/IT director to understand the impact of a security breach, they need to regularly run scenarios that identify the possible effects on the business. They also need to run regular penetration tests – although a determined person will be able to penetrate the network in some way.
There are three general business areas where a CSO or IT director needs to be regularly updating the business leaders on the risks posed from a security breach. These three areas are the risks to business continuity, competitive advantage and reputation.
Not maintaining business continuity ultimately results in lost revenue. It is somewhat accepted that there will be a certain level where business continuity will not be maintained, but a CSO / IT director needs to make the business leaders aware of the consequences and risk of a security breach.
With increased levels of attacks on organizations with increasingly sophisticated viruses, the likelihood that a breach will happen and significantly impact business activity is also increasing, especially as business continuity relies so heavily on the network. Take the Bank of America. On Saturday January 25, 2003 the bank was affected by the Slammer worm virus. Its impact on the network resulted in the majority of Bank of America's 13,000 ATMs not working for a large proportion of that day – business continuity was affected, revenue was lost and the company's reputation was damaged through the adverse publicity.
Competitive advantage is important for organizations if they want to survive in this global economy. A breach of IT security might not damage the organization in the short term, but companies must be aware of the longer-term risks. Corporate espionage still takes place and organizations need to protect against this to maintain their competitive advantage. The problem with corporate espionage is that a breach of security often goes unnoticed and it is only when a mistake has been made or the damage is done that an organization identifies a security breach. A CSO/IT director needs to make the business leaders aware of the possibility of corporate espionage taking place through a security breach. Ongoing penetration testing should identify the risk areas.
Reputation is important to all organizations, as both existing and potential customers are influenced by reputation. As more business activity is conducted online, both in the business and consumer worlds, more and more personal information is stored in databases. Business and consumers form a relationship based on trust with those that hold their information – they trust that this information is secure and that others cannot access it. If that information is compromised, then the adverse publicity will affect the reputation of the company, as both existing and potential customers will feel that they cannot trust the organization and so either stop doing business or change their buying pattern.
Additionally, legal action could be taken against the company for failing to meet legislative requirements. The CSO/IT director needs to show the potential damage to a company's reputation from a security breach and the likelihood of it actually happening.
IT security is critical to many businesses today yet senior leadership don't really realize this, as they are not truly aware of the potential damage that a breakdown in security can do to an organization.
It is the responsibility of those overseeing IT security to present the risks and consequences of a breach to the business leaders at a level that they understand and in a way that maps onto the business objectives of the organization. It is the responsibility of the senior business leaders to listen and act accordingly if the risk is significantly high.
IT security is not just the responsibility of the IT department, it is down to everyone to be aware of the risks and do what they can to prevent any problems, from encouraging users not to download software to open unusual emails, to making sure the board members devote the necessary time, budget and commitment to getting it right first time. If the IT department can achieve this, then hopefully they will never find out 'what if?'.
Andre Armstrong is part of the European marketing team for Rainbow Technologies (www.rainbow.com).