Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: December 2006

Boardroom mindset puts security second

December 2006
Charl Louw, head of Infrastructure Consulting & Enterprise Architecture, Accenture South Africa

When an organisation invests in improving its IT security, what are the priorities?

Recent research Accenture conducted among senior IT professionals and board-level executives shows that IT security investments are made with a view to implementing technology solutions to ensure compliance with external regulations. This is not only worrying for shareholders. It should also ring alarm bells at board level because it suggests that IT security specialists are still failing to convince the board of the business benefits of security investments, and that a pervasive focus on compliance is diverting funds away from real strategic priorities.
The figures speak for themselves. Fifty-three percent of survey respondents cited compliance as the biggest single driver of security investment. But when asked about their main security priorities for 2006, the most common response from nearly half the participants was assessing and managing risk, followed by identity and access management, and business continuity. Achieving compliance was well down the list, cited by less than a fifth. Only 22% regarded achieving compliance as a major challenge.
These findings come despite overwhelming evidence of the growing risks posed by an expanding array of security threats, ranging from hackers to phishing attacks to 'inside jobs' to data privacy breaches. At root, what the research shows is a great disconnect between what IT specialists know companies should be doing about security, and the investments that are actually getting approval at board level.
It is not hard to see why this gap has opened up. One driver is the continuing perception at board level that security is about blocking access and protecting assets rather than generating a return for the business. Another is that security is seen as primarily a technology issue, rather than an area where processes, people and other organisational factors are every bit as important. A third is that security is widely perceived as a cost of doing business rather than a way of creating value.
All these factors have converged in companies' responses to the blizzard of regulation in recent years, ranging from Sarbanes-Oxley to data protection. The need to comply has further entrenched the view that security is a cost centre. Since boards tend to regard compliance as an additional but unavoidable overhead, and security and control represent a significant element of this cost, the impact of new regulation has been to reinforce the misconception that security is effectively a tax imposed on the business.
Charl Louw, Head of Infrastructure Consulting & Enterprise Architecture, Accenture South Africa
Charl Louw, Head of Infrastructure Consulting & Enterprise Architecture, Accenture South Africa
The net result is that investing in technology bolt-ons to achieve and maintain compliance remains the principal driver behind security investment in many organisations. What is lacking in this approach is a risk-based analysis or business case focused on meeting the wider needs of the business. The result is that the funds available for security investment are side-tracked into compliance rather than enhancing security itself. And once all the compliance boxes have been ticked, then the board feels it has 'done the job' on security.
IT security specialists know this board-level perception is both wrong and dangerous. As Accenture's research confirms, the business's IT security officers know there is much more to do to make the organisation secure, but they feel powerless to convince the board of this. And their failure to get the message across about the real business returns from security investment means the board simply carries on focusing on compliance.
This communications breakdown leaves many organisations more vulnerable than top executives realise. However, it would be wrong to lay all the blame at the boardroom door. The fact is that precious few IT security professionals have the communications skills and business awareness needed to give their directors a clear and concise pitch on the state of security in their organisation, and of the business returns available from 'pure' security investment beyond compliance.
Fortunately, our research does not just highlight the problem, but also indicates a way forward. Our analysis shows that the higher-performing companies in our survey tend to focus security not under the CIO, but rather under the CEO - thereby reflecting its true importance. This gives security issues a higher ranking on the board agenda, with sponsorship from the top and a solid platform from which IT can argue the case for investment.
For their part, IT security officers also have a pivotal role to play by learning how to communicate the rationale for investment more clearly and forcefully in business terms at the topmost levels. To do this, they should stress the business benefits that come with comprehensive security, such as protecting the supply chain to extend the organisation's reach and enabling more cost-effective online banking processes.
Some companies are doing this already. It is no coincidence that organisations who manage security well are all high-performing businesses. It follows that while outstanding security will not automatically make an organisation high-performing, it does represent a key building-block.
So, how can companies become best-in class in security? Our research and experience suggest they can do this by applying five principles:
* Assess and manage risk in terms of disruption and value to the business.

* View compliance as a catalyst for business improvement and innovation.

* Embed security throughout the business.

* Automate security administration and management.

* Leverage people and processes as well as technology to manage threats and vulnerabilities proactively.
The IT security threats to today's businesses are escalating by the day. Unless companies raise their game by investing in the right capabilities and safeguards, they are storing up huge risks for the future. Now is the time to act to prevent that from happening.

Others who read this also read these articles

Search Site

Search Directory

  • Search for:


Previous Issues