Computer Weekly invited some of the UK's top information security leaders to a roundtable debate, in association with Oracle, to discuss how to deliver business value in information security.
The debate focused on how you measure return on investment, ensuring security by design, understanding the value of information assurance, security as a business enabler and how to ensure that the board understands the value of security, as well as the reputational and economic risk of getting it wrong.
How to measure ROI for IT security
Marcus Alldrick, senior manager, information protection and continuity at Lloyds of London, asked, "How do we demonstrate that information security has value?"
He said that if you provide a return on investment (ROI) to the CIO, then cost avoidance must be taken into account.
"Look at operational and helpdesk costs being reduced. Look at leveraging benefits, in terms of people, projects and practices. Security is not an enabler on its own, but it can be a disabler," he said.
Work out a bottom-line figure for security and show that ROI can be done in varying ways, said Callum Halliday, information security manager for the London 2012 Olympics.
"You can quantify things such as better user behaviour and reduced calls to the helpdesk or less incidences of virus infections. You can use the pound-sign for virtually everything, which will make the funding organisation more receptive," he said.
Security by design
Security needs to be built into systems from the beginning. As Martyn Croft, CIO at The Salvation Army, pointed out, "You don't want to buy a car and then be told, sorry the brakes are extra."
Mario Kempton, head of information security at the Serious Organised Crime Agency (Soca), said it is vital that security is present at the inception of any project. "Systems security should be cradle-to-grave, and embedded from day one, but there are no government guidelines in place."
Andrew Yeomans, vice-president of global security at Commerzbank and a board member of the Jericho Forum, agreed. "Security requirements must be stated up-front in the procurement process," he said.
But how security is designed and implemented will vary for different organisations, said Alldrick. "Every business is different. I don't think it will be a science. Security will remain an art, which is why best-practice is key. Security has a collaborative nature and no one model will work. It is a case of mix-and-match," he said.
Understanding the value of information assets
A fundamental challenge is to understand that "information has a value and you have to know what that value is," said Croft.
Des Powley, technical director of security and ID management at Oracle UK, said making distinctions in value is important. "Everyone has anti-virus. The challenge for me is how to you take it to a level where we see information as an asset where you can drive business value."
Brian Shorten, risk and security manager at Cancer Research, said, "Security is an asset, not an obstacle. The thing to get across in an organisation is the concept of toxic data; not necessarily in a financial way - it can be anything that can hurt you. For example, what would our supporters think if we screwed up a drugs trial?"
Alldrick said, "Most of our risk assessment is objective. There are four options - risk can be accepted, managed, transferred or avoided. This data is worth this much. If the risk is accepted, get the job done and move on."
Mike Trevett, deputy director for IS and legal services at the Office for National Statistics (ONS), said, "If you lose a customer database, you can't just buy another one. It comes back to a risk management scenario."
Independent research consultant John Leach said that you put a value on information from several perspectives. "There are different angles: the value of information as an asset to generate revenue; valuing information from the point of view of brand risk; if something goes wrong with the brand and looking at value from a compliance point of view," he said.
Leach said privacy also needs to be understood. "Youngsters on social networking sites don't necessarily think the information they are posting is intimate. They don't mind the people they elected as friends seeing that information, but they trust it won't be used in a way they don't want it to be used. Privacy is not about who has access to the information, it's about what people do with the information," he said.
Security as a business enabler
Alldrick said there are online services, such as home shopping, that could not have gone ahead unless security was in place.
"Security has to be part of the business case and an enabler, otherwise Visa or MasterCard would not be part of it as they would not take the risk as a merchant acquirer," he said.
Powley said if security becomes an enabler of the business, it is important that organisations are able to profile the people who use their services and deliver more targeted content.
"Knowing who the people are, making decisions based on who they are and having identity at the forefront of how information is used is key," he said.
Simon Kellow, security and compliance manager at the Care Quality Commission, said there are fundamental questions to ask when considering security as an enabler, "What is your information asset and who are you dealing with? The questions are who, what, where and why?"
Danny Hulligan, information security manager at law firm Hill Dickinson, said it is difficult to assess to what extent security enables business.
"As a law firm, we won't get business if there is no IT security plan, but you never know if that contribution is 5% or 100% towards achieving that business."
But not having adequate IT security can be a business disabler. Kempton, said, "The banking industry is full of people who will flog data. It is important to monitor activities and have a vetting process and an aftercare process or your financial estate may not be there tomorrow."
Using the language of the boardroom
Trevett said, "If you walk into any boardroom, they understand the value of risk and how much they are prepared to pay for it not to happen. If we can phrase information security in a similar way, we can get somewhere."
He said that security professionals must be articulate, so that boardrooms understand that reputations are at risk if there are breaches, and security chiefs should explain why a profitable business objective will not happen if the organisation gets risk wrong. "Processes and procedures must be easy for users to follow," he said.
Stuart Ritchie-Fagg, senior information security analyst at Hermes Fund Managers, agreed that being direct is important: "Use layman's terms. Don't bore with IT spiel."
Caroline Holley, head of information governance at ONS, said IT security leaders must communicate what will go wrong without security. "It is important to think about risk and cost and explain to the board in a language they understand," she said.
Boardrooms understand the concept of competitive advantage and Powley said this can be used to make the argument for better security. Alldrick said that if an organisation boasts it is the best at security, it has an immediate impact on brand.
Leach said that risk is largely about perception and if you don't understand the assets in your organisation, risk is immaterial.
Allan Thomas, head of technology at insurer Hiscox, said that when talking to the board, "the lack of good data is a hindrance".
Toby Stevens, managing director of Enterprise Privacy Group, said, "It is important to know the board's ambition for security. For some boards their ambition will be to never talk to the IT security manager. Others will see security as a business differentiator."
BOX OUT Corporate considerations for IT security
Dr John Leach, independent research consultant at JLIS.co.uk, was co-author of The Privacy Dividend, a report published by the Information Commissioner's Office (ICO) which makes the business case for protecting privacy and urges organisations to put a value on personal information.
Leach has worked on developing an return on investment for information security. "I am confident that a real hard business case can be made for protection of privacy; it is not just about the need to comply with the Data Protection Act," he said.
However, he said that there is "no one universal case", but each organisation must consider its situation by demonstrating the business benefits of privacy and its protection.
"Look at how security can boost revenue, increase take-up of services, reduce costs, improve resilience, decrease the security and compliance risk, and feed into real business benefits," he said.
However, Leach found that most organisations do not consider privacy based on a business case, but tended to fall into two camps - those that believe protecting privacy benefits the business and do it as "an act of faith", and those that do not believe in the benefits and are sceptical about the lack of data.
"You can't change perceptions until something goes wrong. When they feel a hand on their collar and say 'ouch', that is what changes their perception. Organisations that haven't bought into protecting privacy are running a risk. Something will go wrong and they will come up against the ICO or customers deserting them," he said.
For the past 20 years information security has been treated as an art, not a science, said Leach, but this is changing as more organisations realise that there is a return on investment.
"People followed security standard ISO 27001, but no-one was able to put a money value on how much it costs to do security control. I believe that will change and it should be a science," said Leach.
By approaching information security in a different way and solving the return on investment problems, Leach said organisations will benefit. "You can work out the return on investment for information security measures and demonstrate this," he suggested.