The downturn has not been kind to security budgets. Yet CIOs still need to find ways of creating defences against a number of threats that are now taking shape. Cath Everett reports.
Although information security budgets were not as badly affected during the recession as other areas of the business, the days of year-on-year increases appear over. As a result, in the past 18 months or so, many professionals have started to take a more risk-oriented view of potential threats to focus scarce resources where they are needed most.
One of the key problems they face when trying to sell the case for investment, however, is that many senior business managers fail to understand an issue that is fundamentally technical and fast-changing.
As Stewart Room, data security specialist at law firm Field Fisher Waterhouse (FFW) and chairman of the National Association of Data Protection Officers, says: "Most business leaders have grey hair and are not of a generation that was educated in these things, so it's not part of their natural culture. Instead it's an alien and complex topic."
But the situation has not been helped by a widespread internal failure to articulate or advocate the subject effectively.
"How you present a business case is as critical to the outcome as the fundamental message that is being delivered so if you deliver an important message in a poor way, it might not get through," says Room. "So today, it's the absence of understanding and making a clear business case that are the major economic barriers to investment."
Building multi-disciplinary team
But there are several mechanisms that could help CIOs justify the expenditure required to secure important business assets. The first is to network inside their own organisation and indulge in the art of persuasion to build a multi-disciplinary team comprising the company secretary and heads of HR, marketing, facilities management and risk and audit.
The aim here is to try and break down existing information security silos and ensure that key stakeholders work together to understand major risks to the business and how best to address them.
The second is how to use business language to get the message across. Key vocabulary in this context includes 'reputation', 'brand protection' and 'effect on contractual relations' rather than 'distributed botnets' or 'data leakage', which turn people off.
And getting to grips with this situation is important. Not to do so constitutes a risk for the organisation because, if the business is not in a position to prioritise investment, which includes keeping key skills and infrastructure up-to-date, it will be unable to cope effectively with the threats already on the horizon.
Threat 1. Adverse third-party scrutiny
Adverse third-party scrutiny can come from a number of different areas. First, regulators ranging from the Information Commissioner's Office (ICO) to the Financial Services Authority have recently begun to take an acute interest in information security.
To demonstrate the seriousness with...