Why Management Doesn't Get IT Security
At the request of the Department of Homeland Security, a group called The Conference Board completed a study about senior management and their perceptions of IT security. The results aren't very surprising.
Most C-level executives view security as an operational issue -- kind of like facilities management -- and not as a strategic review. As such, they don't have direct responsibility for security.
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. "Security directors appear to be politically isolated within their companies," Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don't have many allies in getting their message across to upper management.
What to do? The report has some suggestions, the same ones you can hear at any security conference anywhere.
Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. "Risk managers are among the best potential allies," he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.
"That can be tricky, because most risk managers come from a financial background, and they don't speak the same language as the security people," Cavanagh notes. "It's also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company's business, but have a very low likelihood of occurrence, so it's very hard to gauge the risk."
Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).
Face time is another important way to gain attention in mahogany row, the report says. In industries where there are critical infrastructure issues, such as financial services, about 66 percent of top executives meet at least once a month with their security director, according to the study. That figure dropped to around 44 percent in industries without critical infrastructure issues.
I guess it's more confirmation of the conventional wisdom.
The full report is available, but it costs $125 if you're something called a Conference Board associate, and $495 if you're not. But my guess is that you've already heard everything that's in it.
Posted on November 8, 2006 at 6:15 AM • 37 Comments