A recent survey, carried out by NetIQ, claims that most IT Security Managers believe that their board-level superiors pay only lip service to compliance and security, i.e. they don’t take it seriously. Is this really correct? Or are we misinterpreting the signals from above?
I reckon the latter is nearer the mark. I’ve discussed IT security with dozens of managing directors in different industries. In my view they all take security very seriously indeed. Which is no surprise, given that they constantly handle sensitive information, and that they’re often much better informed about serious incidents than their staff. So why is there a difference in perception? I can see three possible reasons. Firstly, there is a lack of visibility of senior management thinking. Most directors are discreet. They rarely go around broadcasting their views about sensitive subjects, such as security. Secondly, they might have higher priorities. Most organisations have risk management processes in place that highlight major business risks for board-level intervention. If security doesn’t rank in their Top 50 risks, you can’t expect it to be high on the Board agenda. Thirdly, any major expenditure requires justification. No managing director should be endorsing major investments in security without a clear business case. And sadly we rarely see good examples of these.
I’m always surprised to hear claims that security spending is difficult to justify. In my experience it’s much easier than justifying expenditure on many other business initiatives. For comparison think about advertising campaigns which only work half of the time, CRM programmes that are an expensive leap of faith, or new product launches for which no sales are guaranteed. Security spending is easier to defend. There’s a lot of published incident data to support its claims. And if you add up the numbers the ROI can be quite impressive. Not to mention the fact that there are legal and regulatory demands to reinforce the business case.
So if security is not being addressed, where might the problem lie? The answer is likely to lie either with the risk assessment process, for not highlighting the problem, or with local business managers, for not managing these risks. Or perhaps with the security function for not establishing a functioning security management system. But don’t blame the Board. At the end of the day they’re ones that risk a jail sentence. So they shouldn’t need reminding about the importance of compliance and security.