How do different functions within an organisation view e-business
security, and what messages are most likely to convert doubtful
executives within each function?
It's a perennial gripe among IT security experts, and one which the
e-business revolution doesn't seem to have resolved: you can't get
the board-level buy-in needed for the right level of investment in
security technology. Nor can you bring about the security culture
which everyone seems to agree is a prerequisite for making security
work.
Executives outside the IT function are prone to view security as an
optional extra. So, what's the best way for security advocates to
get them to take notice? The traditional method is scare-mongering,
and the DTI has a copious supply of statistics that will do just
that: 60% of companies have experienced unauthorised systems
activity at an average minimum cost of £24,000; and the first
hacker usually arrives within three hours of a website's launch.
But negative-selling is a turn-off and is often dismissed by
directors as hype.
Although security professionals claim that computer virus Code Red
did tens of millions of pounds worth of damage, victims are not
exactly falling over themselves to share their experiences.
Companies simply won't talk about this sort of thing, explains
David Wray, chief technology officer and co-founder of UK security
specialists Authorizor. "The only time you know when a bank has
been robbed is when the police are outside."
Penetration-testing, combined with the right reporting tools, can
be one way of convincing the board that risks are real. Ian
Kilpatrick, group managing director of Wick Hill, says: "If you
show them the vulnerabilities in their set-up, they won't need to
understand the jargon."
Presenting directors with, say, payroll details and password lists
obtained in penetration-testing can also grab their attention, says
Graeme Cox, managing director of security firm DNS. Kilpatrick also
recommends the honeypot, a decoy that reveals attempted violations
without risk to the main system, so presenting a graphical
illustration of risks.
CEOs and MDs
Those who head up companies are likely to
respond positively to security propositions that are presented as
enablers rather than inhibitors. Much of that depends on security
specialists taking the right approach. Alan Liddle, technical
director of Trustis, specialists in e-commerce security, says: "We
don't go in as the security police - the Draconian approach turns
directors off. It's better to position ourselves as the people who
are going to build the secure solution to fix the problems, not the
people who are going to switch off the systems the company needs to
do business."
Despite vendor ambivalence towards scare-mongering, some security
experts believe the media attention given to e-business security
breaches does attract the attention of chief executives. Paula
Palma, vice president and managing director for Europe at Entegrity
Solutions, says: "They're concerned about shareholder value and
corporate reputation, both of which can be damaged by bad press."
Company chiefs are also aware that the buck stops with them - an
awareness that should have been heightened by recent legislative
and regulatory change, which places increasing responsibility for
information security on the shoulders of board directors.
For example, some security companies are doing their best to draw
attention to the new Data Protection Act, which becomes fully
operational this month, when a period of grace for existing
companies ends. The Act means that companies which don't take their
privacy responsibilities seriously could be in more trouble than
before. "Under the new Act, a company may be liable for
compensatory damages if any individual suffers damage as a result
of having their personal information used in an unauthorised way,"
says Toby Ben, product manager at Access Research Technologies.
Having the right security precautions in place could help to
safeguard a company against such claims. However, some industry
players are doubtful about the likely impact of the Act. "There's
not enough education taking place. The Act will have no impact
until something brings it forcibly to companies' attention, such as
a company falling victim to it through ignorance," says
Kilpatrick.
Then there's the Turnbull Report on corporate governance, whose
guidelines make directors ultimately responsible for business risk
management, including data and IT risk. A couple of years after the
report's publication, the penny has yet to drop with some
executives. Michael Harrison, chairman of communications and
marketing group Harrison Smith Associates, is also a board member
of the Information Assurance Advisory Council (IAAC) on which he
also represents anti-virus firm Symantec. Executives he encounters
don't always understand the practical implications of Turnbull.
"They have all heard of it, but when you ask them what their
personal responsibility for information management is, many will
say, 'It has nothing to do with me, it's the IT manager's
responsibility.' They still think of it as a technical problem that
can be delegated rather than recognising it as a risk management
decision that shouldn't be delegated."
Harrison believes that boards will take the issue seriously the day
someone stands up at a shareholder meeting and asks about the
company's data security. In the meantime, IAAC, a government-backed
centre of excellence for information assurance, is doing its best
to help by bringing together corporate leaders, public policy
makers, law enforcement officials and the research community to
address the security challenges of the information society.
The language used can help grab an executive's attention, starting
with how the subject is introduced. Andrew Rathmell, chief
executive of the IAAC, explains that his organisation has chosen
the term 'information assurance' advisedly. "The term, which came
from the military world, makes this an operational issue in a way
that information security wasn't, and so helps raise it to board
level."
At a more detailed level, BS7799 can help IT and business develop a
common language for talking about security. BS7799 is the British
standard for information security management, first published in
1995, and now also known as ISO17799. The standard encourages
companies to work out what they need to do in business terms, and
then create a coherent risk management approach instead of just
stringing together a series of technological safeguards.
Geoff Davies, managing director of IT security specialist i-Sec,
says: "Decision makers understand operational risk - they're used
to considering questions like, 'What would happen if 50% of
customers paid after 60 days instead of 30 days, and what controls
do we need to put in place to deal with it?' BS7799 lets them think
about information and how it might be compromised in the same
terms."
Liddle agrees, saying: "BS7799 can help people understand that
security must be a process rather than a load of boxes of
technology." But, he notes, only now is BS7799 starting to be
useful as a consciousness-raising tool. "For a long time, when you
mentioned it, the most common response was, 'What?'"
One thing that may help raise awareness of BS7799 is the fact that
the Data Protection Act mentions it; implementing BS7799 could help
you establish in a tribunal or court that your company hadn't been
careless with other people's information. But that's assuming
people are taking notice of the Act itself.
CFOs and FDs
Stereotypically, heads of finance are not
interested in any proposition unless there is a quantifiable
return. While some vendors believe they have encountered this
attitude, the finance community counters that, on the contrary,
financial directors are aware of the issues surrounding information
security. "FDs and directors are very interested in identifying and
evaluating risks that affect their businesses, and in taking
relevant steps to counter those risks," says John Court, head of
the IT faculty of the Institute of Chartered Accountants in England
and Wales.
As usual, the problem partly lies with security people telling
their story the wrong way. "Sometimes, security specialists think
about the subject from a purely technical point of view instead of
relating it to the business as a whole," Court observes.
Once again, BS7799 could be helpful. Birmingham-based computer
audit and security consultant Dick Price says: "BS7799 is a superb
way to get the message across in a way that FDs can understand."
Price needs it because he still encounters financial directors who
dismiss information security and IT as an overhead. "Some have
risks staring them in the face. The phrase 'trading recklessly'
comes to mind."
Are there any areas where security propositions can be seen to
deliver measurable returns as opposed to reduction of risk? Well,
one area where they can is in making your company more attractive
to customers or partners, and so bringing in more business.
"Companies like BT and the Halifax are using security and consumer
trust as marketing differentiators, putting out adverts with the
message, 'We're more trustworthy and secure than our competitors,'"
Rathmell says. The marketing director could become your ally here.
Some technology measures can be sold on the basis that they enhance
productivity as well as securing information. Wray puts forward the
example of products to enable secure remote working. "If you give
the workforce the flexibility to work anytime they can get on to
the Internet, you're potentially going to get more work out of
them."
Enrique Salem, senior vice president of products and technology at
Oblix, has additional examples. "Facilities like single sign-on are
as much about productivity as security. If you have to remember a
dozen passwords, you're going to spend a lot of time calling the IT
helpdesk to get a new one. And, if, as statistics suggest, it takes
[a new member of staff about] 12 days before they're given access
to the systems they need, there's scope to increase productivity by
automating the process."
Financial people are going to be keenly aware that risks need to be
addressed at the right level. No company can afford to plug every
gap, so it's important to put forward the solution that's
appropriate to the company's situation. Liddle says: "We can roll
out PKI solutions cheaply and quickly. If a company complains that
it can't interoperate with someone in Lower Mombassa, our answer
is, 'Why worry at the moment when you have no business need to do
it?'"
IT & e-business directors
The IT department
certainly understands the need for security technology, but it's
not always motivated to promote it. Davies explains: "Security is
just not seen as sexy. How big a pay rise will the IT director get
for delivering a firewall?"
Putting forward a proposal for security expenditure can place
technical people in an embarrassing quandary, points out Wray. "The
other directors are liable to ask the IT director if the company's
system is secure. Advancing the proposal can seem like an admission
of incompetence." That's particularly true if previous security
business cases have incorporated the over-ambitious claims of
vendors. "Vendors sometimes encourage buyers to view something like
a firewall as more all-embracing than it really is," explains Wray.
"IT directors need to make sure the scope of each piece of
technology is accurately understood. If you buy a lock for your
front door you don't expect it to take care of the windows
too."
E-business directors may see security as obstructing their projects
and increasing time to market, warns Palma. "We have to educate
them, too, about why security technology can be an enabling tool."
Security tools that automate manual administrative functions - or
shift some of the work away from the IT department - are among
those that appeal most to chief information officers and the like,
says Salem. "Surveys show that password resets can cost companies
between $200-$300 (£138-£207) per employee, per year. Giving
employees the ability to do that work in a self-service fashion can
reduce departmental costs."
But even when they're convinced themselves, IT people need to get
over their fascination with gizmos if they're to communicate
effectively with the rest of the organisation. Liddle says: "IT
people still tend to go for the high-tech sell, telling the board
all about 128-bit encryption, signing certificates and such, when
what's really needed is a high-level statement of the proposal with
a focus on the real business benefits."
A risk management framework along the lines of BS7799 can help to
achieve the correct focus, but even then IT people may still have
problems. "Even if they understand the terminology of impact
analysis and so on, IT people probably aren't in the best position
to assess exactly what information is vital to the business,"
explains Harrison.
However, he says, there are tools that can help build a risk
profile and assess the cost of reducing the risk, as well as
consultants queuing up to help bridge the communications gap
between IT and the business.
If security is generally seen as a spanner in the works rather than
a facilitator of e-business, it could be because people tend to
present it as a separate area rather than an integral part of
e-business. "Even with enormous e-business projects in major
financial institutions, we still see security presented as an
add-on," Cox says.
"The project can get as far as a beta release before someone asks,
'By the way, is this going to be secure?' At that point, security
isn't part of the budget. Sometimes there are business functions
that can't be offered because the security just isn't there," he
says.
Cox says that savvier organisations, such as Scottish Enterprise,
start to think about security right at the beginning of their
e-business activities. That way, he argues, you can push your
security strategy along with your on-line services, with minimal
spend up front and more investment later, after the deliverables
have started to appear. The benefits of security are the benefits
of the programme as a whole, and you should never find yourself
having to make a case for a piece of technology, such as a firewall
in a vacuum.
Liddle recalls: "In the old days, firms used to take the project as
far down the road as possible. Then they'd give it to the security
people knowing that they'd throw their toys out of the pram, but it
would be too late to do anything about it at that point. Now people
are starting to realise that an e-business system without adequate
security is like a car without wheels.
"What's needed is a balanced debate, not an attempt to close every
security gap regardless of cost, but a pragmatic approach that
views security as an integral part of the solution."
Graham Edwards, director of group fraud and security at Abbey
National, says: "We evaluate each proposed security initiative
carefully, getting the business lines concerned to comment on the
level of risk that's being addressed. Because we already have a
security strategy in place there's a framework for these
evaluations. And we don't have to convince senior management of the
need to spend money on information security each time because
they're already convinced."
In these difficult times, one reason directors may be reluctant to
spend money on security technology is that they simply haven't got
that kind of money to spend. It's sometimes alleged that the only
cheap security technology is the kind you can't afford to get
working because it's so hard to implement.
Richard Ellis, founder of onefootball.com and former chief
executive of Digital Sport, says: "We implemented security
technology - particularly to address theft of our content - but it
can be difficult for smaller organisations to spend what amounts to
tens of millions on a below-the-line expense."
It seems the best solution to catching the eye of executives would
be for the industry to come up with more affordable
solutions.
When the push for security goes inside out
Executives
may soon find themselves under increasing pressure from outside the
company to take security more seriously. Spurred on by initiatives
such as the Turnbull report on corporate governance, company
auditors will be bringing information assurance to the attention of
financial directors and the board.
Andrew Rathmell, chief executive of IAAC, says: "They've done this
in the US and now we can expect to see the Big Five firms and other
professional institutes drawing up similar guidelines here."
Insurers, too, could supply both positive and negative incentives
to grab the board's attention, refusing to cover organisations for
certain types of risk or offering reductions in premiums for those
with good information security. Security proponents may soon be
getting valuable reinforcement, too, from corporate business
partners. B2B e-commerce means that companies are soon likely to
pressurise each other to comply with their security requirements.
Alan Liddle, technology director of Trustis, says: "One of our
customers supplies software to banks, and banks won't buy anything
from anyone until they're satisfied with the security of the
suppliers' own systems." The Internet has made it easier for
companies to put pressure on their suppliers because it's now so
easy to switch suppliers.
So, which security standards will companies apply to each other?
They may look for compliance, or certification against BS7799, or
alternative European standards. Or companies and industries could
impose their own.