If IT has a fairy tale, it would have to be the Cinderella story of security.

Long an afterthought for many organizations, high-profile attacks and the potential for lawsuits are transforming security into the latest IT princess.

But it still isn’t easy to convince executives to spend the necessary resources on security, which can be expensive, time-consuming, and a drag on delivery times.

Don’t give up hope. Here are two approaches to help bolster security’s importance in your company.

The numbers game
A security analyst with Gartner , a leading international IT research firm, recommends that IT professionals stop playing the numbers game when it comes to convincing companies that security’s costs are worthwhile.

If you keep talking about security in terms of risk analysis, you’ll lose. The chances of a breach will appear too insignificant in terms of the dollars your company will need to spend, he said.

Analysts suggest IT professionals talk about what happens if there’s a security breach. Discuss how a breach will impact the company’s finances, what legal problems it could cause, and how it will affect the company’s reputation.

Chris Zoladz, vice president of information protection for Marriott International, Inc., and a recognized leader in e-business security, took that approach when trying to convince his company’s leadership to back his security initiative. “What I did was I looked for factual occurrences in our company—and we all have them,” Zoladz said. “That’s very real for them.”

Zoladz’s approach helped him win support from Marriott’s CIO and the company’s general counsel. Both helped him get security issues on the executive agenda.
Chris Zoladz was one of the security experts gathered in New Orleans this week for Gartner’s conference “Information in an E-Business World: Coping with the Threats.” Check back for more conference coverage by TechRepublic Web editor Loraine Lawson.
Creating a corporate culture of security
While security has long been the domain of IT, analysts contend that it needs to move from IT’s shadow and involve all areas of the enterprise.

Companies should create a culture of security by planning for security when developing systems and making individual employees aware of security issues. This will become increasingly important, since it is predicted that more IT products and services will be deployed in the next five years than have been in the previous 30.

IT isn’t the only area that needs to be involved in security, however. Experts have recommended separating security and creating a new executive role—the chief information security officer.

That’s a hefty order for small and midsize companies. But what every company can do is ensure that all divisions and employees appreciate and understand the need for security.

Zoladz, for example, made his initiative company-wide by asking the executive leadership to endorse the project and appoint a vice president from each business unit to the security committee. That helped make security a top priority for the business units.

“They all did it. They all went forth and put forth their people,” Zoladz said. “It was top-down driven.”

He was also careful to keep security aligned with the company’s business goals.

“The side-by-side approach has been very effective for us,” he said.

How do you determine if your company has a culture of security?

Imagine that one of your employees sees another employee doing something wrong. Now ask yourself three questions:

  1. Would the employee know if the action was right or wrong?
  2. Would the employee report the action?
  3. Would the employee know how to report the action?

In almost every major incident that Gartner has examined, the breach was an inside job, usually in the form of distortion or embezzlement.

In one instance, a client spent hundreds of thousands on a security system, only to have employees turn it off because it made too much noise.

The moral of the story? Introduce Cinderella to the rest of the ball. If you want to live happily ever after, make sure everybody—from the company president to your slowest typist—values security.
Gartner estimates that organizations spend anywhere from 2 to 8 percent of the IT budget on security. He recommends that number rise to between 7 and 15 percent. How much do you spend on security? Let us know by e-mail or by posting below.