Legal

How to sell security to the C-Level

In this guest blog post, Justin Strong lays out the business case that IT needs to take to executives when investments are needed for security tools and policies.

By Justin Strong

Investments in security don't produce revenue, making it difficult for IT to justify implementations of security updates to C-level executives. But, when a data breach occurs, the hammer falls on IT. Therefore, it is the IT staff who are faced with the daunting task of justifying security investments to C-level executives, including updating and maintaining security policies and software to support BYOD and social enterprises. Below are tips for IT professionals to keep in mind as they approach C-level executives for the buy-in to implement the tools and policies needed to ensure enterprise security.

This is a real problem.

The days of the paper shredder are gone. Company data is no longer just in the physical hands of employees, it's in their virtual hands, traveling with them wherever they go. Forrester recently reported that corporate data loss and security breaches occur as a result of employee misuse and lack of comprehensive IT security policies. In fact, 31 percent of data breaches were a result of loss or theft, while 27 percent were caused by employees accidentally mishandling corporate data. And when these data breaches occur, it can cause devastating legal, financial and reputation crises.

It's hard to ignore the cost benefits when employees purchase their own device. However, with as much as 70 percent of the company's intellectual property (IP) living on email alone, a huge percentage of data assets are "out there" on somebody's smartphone or tablet. To make matters worse, the volume of data that IT needs to protect is proliferating as fast as the devices themselves - therefore another trendy problem to face - Big Data.

To address data security concerns, IT needs to examine employees' devices in greater detail and implement a Mobile Device Management (MDM) solution to effectively manage this concern. Investing in an MDM solution isn't about giving employees what they want. It impacts the bottom line of any company when you consider the costs that can be associated with data breaches that can occur if employees access corporate data on potentially unsecured mobile and Wi-Fi networks.

This is a real business problem.

Some companies are more at-risk than others, but no company is completely protected from risk. If you're a decision-maker, your choices regarding security policies and solutions can dramatically impact a company's bottom line. At the same time, compliance must be met. It is critical to ensure that employee-owned devices meet a certain standard of compliance before allowing them access to the corporate network. Proving this compliance with standardized reports is a must - manually accounting for compliance has become untenable for most IT organizations. For example, employee-owned devices or operating systems need to support data encryption in order to keep sensitive company information from being leaked - and IT should be able to prove this with a standardized report.

Of course, there is always the concern of employee privacy. Security and compliance solutions need to secure data in the enterprise, while also protecting employees' privacy by blocking any access of IT administrators to non-work related areas on employee-owned devices. These privacy concerns can result in fines and lawsuits, from outside organizations as well as employees who feel their rights have been violated. C-levels may not see employee privacy as a bottom-line concern, but the damage that could be done if compliance is not met can be very costly to the corporate wallet.

Ineffective or unsophisticated security results in lost productivity and agility.

Every CxO knows they need to secure the enterprise; the question is how - and how to do it with the lowest investment possible. However, the least expensive solution isn't necessarily the cheapest to the organization - if your security policy results in one lost hour of productivity per employee per week, you're talking about massive costs to the enterprise.

Mobile, social and cloud technologies have forced IT departments to adapt policies and procedures. Successful IT teams need to navigate through new technologies without threatening security or limiting the productivity of the workforce. After all, a secure enterprise is a productive one. It's critical that technology does not dictate policy, but rather that organizations implement and enforce policies that are flexible enough for today's rapidly changing technology environment. The need for IT to overhaul security procedures each time a new technology is introduced to the market can be costly, and can easily result in a "No" from C-levels as IT professionals request funding for the tools to ensure security. Solutions that need to be implemented are ones built to be scalable and help IT avoid investing in new policies and platforms each time a new technology disrupts business.

When it comes to security, IT has a difficult task. Other departments justify costs with hard numbers for how their investments will increase ROI and impact the organization's bottom line. IT is stuck with the need for investments without being able to show the obvious monetary return. Increased investment in security can fall to the bottom of a CEO's to-do list when his most important role is ensuring that the company stays profitable and he or she feels they already have a solid system in place.

Today's workforce feels that they are entitled to work wherever and whenever they want, and on whatever devices and applications they prefer, creating a major security threat. Though investing in security measures may not turn a profit, it will ensure the sustainability of a company by eliminating compliance concerns and reducing risks of data breaches as well as help maintain workforce productivity in the event of a breach or unforeseen intrusion. The threat of what an organization could lose is worth the investment to keep enterprises secure in a constantly evolving IT era.

Justin Strong is the Senior Global Product Marketing Manager at Novell.

1 comments
JEHowell
JEHowell

I just read Justin Strong's guest blog on the above subject and, although I don't disagree with his points, I don't think that he's stayed on-subject. Surely the key message is that information security is not IT's problem alone to resolve and it's certainly not entirely their budget that's up for grabs. It's a business problem. The business is at risk if it doesn't take seriously the need for good processes, procedures and tools to protect itself. It's the business that needs to find the budget and offset that against the risk that has been determined if a breach should occur. IT can knock on the doors of the C-levels as much as they like but are unlikely to get much of a reaction with the usual fear, uncertainty and doubt tactics. How can IT determine the cost of a breach to the business? They simply implement new systems and services to assist the business requirements. Information Security has to start at the top and run through every level of the organisation. IT might be asked to implement a new service or solution but it's the business that has created the need for it, so it should be the same management involved in considering the business risk of introducing the new service and the cost to mitigate. With a proper Information Security structure in place within the business, there is an inherent understanding of best practice and what needs to be reviewed when new systems and services are introduced. Now IT can take its proper role within the process which is to ensure that the new service works properly in the knowledge that any business risk has been assessed and that the necessary protection has been budgeted for and implemented. My advice? Get a quality consultancy in to run through a Gap Analysis with ISO27000 as the benchmark. This will identify where the business is in terms of its security and the C-levels can decide where they think the business should be. The Gap can then be addressed by setting up a proper information security team within the organisation with the C-levels involved. Once you've achieved that then there is no need for IT to "sell" the need for security and the associated budget. Okay, it's not a perfect world and it's not easy to get consensus but security has to come from the top. The budget will follow.