In this guest blog post, Justin Strong lays out the business case that IT needs to take to executives when investments are needed for security tools and policies.
Investments in security don't produce revenue, making it difficult for IT to justify implementations of security updates to C-level executives. But, when a data breach occurs, the hammer falls on IT. Therefore, it is the IT staff who are faced with the daunting task of justifying security investments to C-level executives, including updating and maintaining security policies and software to support BYOD and social enterprises. Below are tips for IT professionals to keep in mind as they approach C-level executives for the buy-in to implement the tools and policies needed to ensure enterprise security.
This is a real problem.
The days of the paper shredder are gone. Company data is no longer just in the physical hands of employees, it's in their virtual hands, traveling with them wherever they go. Forrester recently reported that corporate data loss and security breaches occur as a result of employee misuse and lack of comprehensive IT security policies. In fact, 31 percent of data breaches were a result of loss or theft, while 27 percent were caused by employees accidentally mishandling corporate data. And when these data breaches occur, it can cause devastating legal, financial and reputation crises.
It's hard to ignore the cost benefits when employees purchase their own device. However, with as much as 70 percent of the company's intellectual property (IP) living on email alone, a huge percentage of data assets are "out there" on somebody's smartphone or tablet. To make matters worse, the volume of data that IT needs to protect is proliferating as fast as the devices themselves - therefore another trendy problem to face - Big Data.
To address data security concerns, IT needs to examine employees' devices in greater detail and implement a Mobile Device Management (MDM) solution to effectively manage this concern. Investing in an MDM solution isn't about giving employees what they want. It impacts the bottom line of any company when you consider the costs that can be associated with data breaches that can occur if employees access corporate data on potentially unsecured mobile and Wi-Fi networks.
This is a real business problem.
Some companies are more at-risk than others, but no company is completely protected from risk. If you're a decision-maker, your choices regarding security policies and solutions can dramatically impact a company's bottom line. At the same time, compliance must be met. It is critical to ensure that employee-owned devices meet a certain standard of compliance before allowing them access to the corporate network. Proving this compliance with standardized reports is a must - manually accounting for compliance has become untenable for most IT organizations. For example, employee-owned devices or operating systems need to support data encryption in order to keep sensitive company information from being leaked - and IT should be able to prove this with a standardized report.
Of course, there is always the concern of employee privacy. Security and compliance solutions need to secure data in the enterprise, while also protecting employees' privacy by blocking any access of IT administrators to non-work related areas on employee-owned devices. These privacy concerns can result in fines and lawsuits, from outside organizations as well as employees who feel their rights have been violated. C-levels may not see employee privacy as a bottom-line concern, but the damage that could be done if compliance is not met can be very costly to the corporate wallet.
Ineffective or unsophisticated security results in lost productivity and agility.
Every CxO knows they need to secure the enterprise; the question is how - and how to do it with the lowest investment possible. However, the least expensive solution isn't necessarily the cheapest to the organization - if your security policy results in one lost hour of productivity per employee per week, you're talking about massive costs to the enterprise.
Mobile, social and cloud technologies have forced IT departments to adapt policies and procedures. Successful IT teams need to navigate through new technologies without threatening security or limiting the productivity of the workforce. After all, a secure enterprise is a productive one. It's critical that technology does not dictate policy, but rather that organizations implement and enforce policies that are flexible enough for today's rapidly changing technology environment. The need for IT to overhaul security procedures each time a new technology is introduced to the market can be costly, and can easily result in a "No" from C-levels as IT professionals request funding for the tools to ensure security. Solutions that need to be implemented are ones built to be scalable and help IT avoid investing in new policies and platforms each time a new technology disrupts business.
When it comes to security, IT has a difficult task. Other departments justify costs with hard numbers for how their investments will increase ROI and impact the organization's bottom line. IT is stuck with the need for investments without being able to show the obvious monetary return. Increased investment in security can fall to the bottom of a CEO's to-do list when his most important role is ensuring that the company stays profitable and he or she feels they already have a solid system in place.
Today's workforce feels that they are entitled to work wherever and whenever they want, and on whatever devices and applications they prefer, creating a major security threat. Though investing in security measures may not turn a profit, it will ensure the sustainability of a company by eliminating compliance concerns and reducing risks of data breaches as well as help maintain workforce productivity in the event of a breach or unforeseen intrusion. The threat of what an organization could lose is worth the investment to keep enterprises secure in a constantly evolving IT era.
Justin Strong is the Senior Global Product Marketing Manager at Novell.