/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsAvijit Gupta
BANGALORE, INDIA: Ms. Agarwal, the Information Technology Manager at Bluechip Ltd. is very concerned person these days. Her Company has recently launched new range of products and services and is exploring various channels to position and market them. Mr. Agarwal has recently learnt from Mr. Reddy, VP Marketing that one option that they are almost certain to go for is revamping the existing “not so known” company website into an active business portal, where customers would not only have the option to view the product range, but also package them as per their choice and place orders directly !
The moment Ms. Agarwal learnt that, she has been wondering that given the new business requirements, not only she will have to come out with a strategy to upgrade integrate the existing business applications, but also develop a plan which will consider risks relating to data security. But that’s not what she is concerned about. Ms. Agarwal knows that as IT Manager, her real challenge would be to convince the management to approve the budget for IT security.
Many of today’s IT Managers, Chief Information Security officers (CISO) or anyone who is responsible for information security and data privacy, find themselves in similar situation. They understand the realities of conducting business today, in an environment where information technology components are often not integrated. With increasing sophistication and proliferation of attacks and ever shifting focus of the threats to the next weakest link, that is people and applications, the rise of financially rewarding attacks will continue. Technical environments will continue to become more complex, as we have seen in the example above, and proliferation of the new and extended enterprise applications will raise new security & data privacy concerns.
These challenges are predominantly organizational and cultural. Most enterprises have invested in and developed security programs, often as one time exercise after a major information technology solution implementation. However, such initiatives over a period of time have not kept pace with the growing business requirements. Reasons of failure could be many, lack of business or executive buy in, disconnect between enterprise and business Unit goals, low prioritization of security as compared to business initiatives, lack of appreciation for the importance of security, mostly technically led, IT-based security projects and one can go on and on. However, one most important reason which perhaps leads to many of the above causes is inability to establish the business value or ROI of information security, and that’s where Ms. Agarwal’s real concern is.
Having said that, it is also true that “buy in” for information technology is not easy. Business value could relate to different set of priorities. For instance, is it protecting reputation and brand, reducing cost of regulatory compliance, protection of existing revenue streams and help generate new ones, ensuring business functions even during adverse conditions and so on and so forth. According to Gartner, about 60% of organizations primarily value information security as cost of doing business, about 40 pc see it as an insurance policy against hacks, breeches or regulatory fines and only about 12 pc consider it as ROI. Information security is generally viewed as somewhat effective in meeting the needs and expectations of an organization across all industries.
{#PageBreak#}
Ms. Agarwal knows that she will need to justify security spending with solid business justifications and demonstrable business value. The need is for a business approach to information security.
How does Ms. Agarwal do that? Investments in information technology security investments require both "buy in from top", the executive management and "buy-in from below", that is, support from business decision-makers and users -- for maximum business benefit. But who are the most effective advocates at getting support necessary for successful IT investments and deployments? It is very important to understand that eventually it is the enterprise asset at stake, not the information technology security assets. The executive management will need to make the decisions and the facts and figures based on which such decisions are going to be made, should be presented as a strong business case.
There could be many possible ways to approach this. Ms. Agarwal may start by identifying the primary drivers for implementing security controls in the organization. For example, is it just a particular regulation that mandates a security control? Or, is it due to new business requirements resulting in integration of new systems, as we noted in the example above. Developing a roadmap to an effective information security strategy could help derive business value. The strategy could start with defining management expectations for example, security sponsorship, risk tolerance, level of required investments etc. An initial plan to implement a security program could then be set up which is linked with business strategy driven governance.
For example, if customers would make online payments through the website and if this function is going to be outsourced to third parties, this means that the third parties will have access to customer’s confidential information. Customers are hesitant to do business with organizations that are seen as not secure.
The plan should clearly establish the required level of investments, the resources and skill that would be required, how relevant security policies and standards are going to be developed, how assets and resources are going to be protected, what user trainings will be required and so on. The risk of not having a strategic roadmap to address the information security requirements should be expressed in monetary terms as much as possible. Inadequately protected information assets are most likely to have an impact on organizations profitability, which is a concern for the senior management. Remember, even your business partners have their own needs and demands. They are expected to meet certain level of service and require seamless integration with the business. They are expected to respect the organization’s customers and employee confidentiality, integrity and expect the same from your organization. A sustainable and ongoing risk management program to monitor risk in a dynamic business environment is therefore very necessary.
Senior management expects their information security teams to provide appropriate asset protection at minimum cost and at the same time, maintain compliance with applicable laws and regulations. CISO’s and IT managers will need to articulate the business value effectively to the management and in a way, which is clearly understood. Understanding of business environment in which the organization operates is therefore very critical for CISO’s and IT managers. Ms. Agarwal is now convinced that presenting a case to CEO which notes that automated and controlled data interfaces with third parties will result in X amount of saving of staff cost over a period of time, as opposed to implementing a perhaps cheaper manual and reconciliation dependent process, has a better chance of success !
The author is Director - Enterprise Risk Services with Deloitte Haskins & Sells. Views expressed in this article are his own.