What Board Members Really Think About Security

A recent survey, carried out by NetIQ, claims that most IT Security Managers believe that their board-level superiors pay only lip service to compliance and security, i.e. they don’t take it seriously. Is this really correct? Or are we misinterpreting the signals from above?

I reckon the latter is nearer the mark. I’ve discussed IT security with dozens of managing directors in different industries. In my view they all take security very seriously indeed. Which is no surprise, given that they constantly handle sensitive information, and that they’re often much better informed about serious incidents than their staff. So why is there a difference in perception? I can see three possible reasons. Firstly, there is a lack of visibility of senior management thinking. Most directors are discreet. They rarely go around broadcasting their views about sensitive subjects, such as security. Secondly, they might have higher priorities. Most organisations have risk management processes in place that highlight major business risks for board-level intervention. If security doesn’t rank in their Top 50 risks, you can’t expect it to be high on the Board agenda. Thirdly, any major expenditure requires justification. No managing director should be endorsing major investments in security without a clear business case. And sadly we rarely see good examples of these.

I’m always surprised to hear claims that security spending is difficult to justify. In my experience it’s much easier than justifying expenditure on many other business initiatives. For comparison think about advertising campaigns which only work half of the time, CRM programmes that are an expensive leap of faith, or new product launches for which no sales are guaranteed. Security spending is easier to defend. There’s a lot of published incident data to support its claims. And if you add up the numbers the ROI can be quite impressive. Not to mention the fact that there are legal and regulatory demands to reinforce the business case.

So if security is not being addressed, where might the problem lie? The answer is likely to lie either with the risk assessment process, for not highlighting the problem, or with local business managers, for not managing these risks. Or perhaps with the security function for not establishing a functioning security management system. But don’t blame the Board. At the end of the day they’re ones that risk a jail sentence. So they shouldn’t need reminding about the importance of compliance and security.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi David. In response to your question as to how can it be that business people do understand security and the need for investment, and yet IT security continually bemoan the fact that they don't. How can this dichotomy be explained? Perhaps it is down to the fact that we don't have an "IT security problem" we have in fact an "information security problem" which may contribute to a "business risk problem". Could it be that the perceived gap is one of terminology and poor communications more than anything else? Business people are talking about risk management and are sensitive to information security breaches in all their myriad forms. IT security people don't often enough see this bigger picture and too often maintain that it is a technology issue. And then wonder why the business' eyes glaze over when speaking about technology issues. Both points of view are therefore valid views of reality, even if the fact that the gap exists at all is still undesirable. What is needed is for IT security to evolve and mature into a discipline centered around 'information security, risk management, and information governance'. Perhaps then they'll discover that many business leaders actually do get it, they just see the world differently. All the best....Simon
While agreeing with many of your points (especially the lack of evidence of factual incidents on which to base risk assessment) as soon as you step outside of the regulated financial service and banking industry the level of information security interest at director and board level in the UK is pitiful. Even in FTSE 100 companies all they are interested in is: - the minimum spend they can get away with - the minimum investment in IT security spend - the minimum investment in IT security staff (typically two to manage the whole raft of security, risk, compliance, governance, audits) - the minimum spend on security training - the minimum spend on security products or tools. Far too often we see UK companies re-acting to a significant loss before they are forced to implement an effective and proactive Information Security Management System" such as a combination of ITIL (BS15000) and SEC27001.
Having met numerous people in security over the last 2 years, including the CISO's of large businesses, the common theme has been they are technologists who can argue until they are blue in the face about one vendors technology v's another. Two things need to happen. First, proper Board recognition of Security, and second placing a business practitioner in charge, not a technologist. I made a post earlier on a different thread that stated security isn't sexy. You find that the best people do not get through to the top of the pile. If it is not value, and not sexy, then its less attractive, and therefore you do not attract the best people. I find I am still debating with CISO's the best firewall on the market, yet this is irrelavent!