Special report: Protection racket

How do different functions within an organisation view e-business security, and what messages are most likely to convert doubtful...

How do different functions within an organisation view e-business security, and what messages are most likely to convert doubtful executives within each function?

It's a perennial gripe among IT security experts, and one which the e-business revolution doesn't seem to have resolved: you can't get the board-level buy-in needed for the right level of investment in security technology. Nor can you bring about the security culture which everyone seems to agree is a prerequisite for making security work.

Executives outside the IT function are prone to view security as an optional extra. So, what's the best way for security advocates to get them to take notice? The traditional method is scare-mongering, and the DTI has a copious supply of statistics that will do just that: 60% of companies have experienced unauthorised systems activity at an average minimum cost of £24,000; and the first hacker usually arrives within three hours of a website's launch. But negative-selling is a turn-off and is often dismissed by directors as hype.

Although security professionals claim that computer virus Code Red did tens of millions of pounds worth of damage, victims are not exactly falling over themselves to share their experiences. Companies simply won't talk about this sort of thing, explains David Wray, chief technology officer and co-founder of UK security specialists Authorizor. "The only time you know when a bank has been robbed is when the police are outside."

Penetration-testing, combined with the right reporting tools, can be one way of convincing the board that risks are real. Ian Kilpatrick, group managing director of Wick Hill, says: "If you show them the vulnerabilities in their set-up, they won't need to understand the jargon."

Presenting directors with, say, payroll details and password lists obtained in penetration-testing can also grab their attention, says Graeme Cox, managing director of security firm DNS. Kilpatrick also recommends the honeypot, a decoy that reveals attempted violations without risk to the main system, so presenting a graphical illustration of risks.

CEOs and MDs
Those who head up companies are likely to respond positively to security propositions that are presented as enablers rather than inhibitors. Much of that depends on security specialists taking the right approach. Alan Liddle, technical director of Trustis, specialists in e-commerce security, says: "We don't go in as the security police - the Draconian approach turns directors off. It's better to position ourselves as the people who are going to build the secure solution to fix the problems, not the people who are going to switch off the systems the company needs to do business."

Despite vendor ambivalence towards scare-mongering, some security experts believe the media attention given to e-business security breaches does attract the attention of chief executives. Paula Palma, vice president and managing director for Europe at Entegrity Solutions, says: "They're concerned about shareholder value and corporate reputation, both of which can be damaged by bad press."

Company chiefs are also aware that the buck stops with them - an awareness that should have been heightened by recent legislative and regulatory change, which places increasing responsibility for information security on the shoulders of board directors.

For example, some security companies are doing their best to draw attention to the new Data Protection Act, which becomes fully operational this month, when a period of grace for existing companies ends. The Act means that companies which don't take their privacy responsibilities seriously could be in more trouble than before. "Under the new Act, a company may be liable for compensatory damages if any individual suffers damage as a result of having their personal information used in an unauthorised way," says Toby Ben, product manager at Access Research Technologies.

Having the right security precautions in place could help to safeguard a company against such claims. However, some industry players are doubtful about the likely impact of the Act. "There's not enough education taking place. The Act will have no impact until something brings it forcibly to companies' attention, such as a company falling victim to it through ignorance," says Kilpatrick.

Then there's the Turnbull Report on corporate governance, whose guidelines make directors ultimately responsible for business risk management, including data and IT risk. A couple of years after the report's publication, the penny has yet to drop with some executives. Michael Harrison, chairman of communications and marketing group Harrison Smith Associates, is also a board member of the Information Assurance Advisory Council (IAAC) on which he also represents anti-virus firm Symantec. Executives he encounters don't always understand the practical implications of Turnbull. "They have all heard of it, but when you ask them what their personal responsibility for information management is, many will say, 'It has nothing to do with me, it's the IT manager's responsibility.' They still think of it as a technical problem that can be delegated rather than recognising it as a risk management decision that shouldn't be delegated."

Harrison believes that boards will take the issue seriously the day someone stands up at a shareholder meeting and asks about the company's data security. In the meantime, IAAC, a government-backed centre of excellence for information assurance, is doing its best to help by bringing together corporate leaders, public policy makers, law enforcement officials and the research community to address the security challenges of the information society.

The language used can help grab an executive's attention, starting with how the subject is introduced. Andrew Rathmell, chief executive of the IAAC, explains that his organisation has chosen the term 'information assurance' advisedly. "The term, which came from the military world, makes this an operational issue in a way that information security wasn't, and so helps raise it to board level."

At a more detailed level, BS7799 can help IT and business develop a common language for talking about security. BS7799 is the British standard for information security management, first published in 1995, and now also known as ISO17799. The standard encourages companies to work out what they need to do in business terms, and then create a coherent risk management approach instead of just stringing together a series of technological safeguards.

Geoff Davies, managing director of IT security specialist i-Sec, says: "Decision makers understand operational risk - they're used to considering questions like, 'What would happen if 50% of customers paid after 60 days instead of 30 days, and what controls do we need to put in place to deal with it?' BS7799 lets them think about information and how it might be compromised in the same terms."

Liddle agrees, saying: "BS7799 can help people understand that security must be a process rather than a load of boxes of technology." But, he notes, only now is BS7799 starting to be useful as a consciousness-raising tool. "For a long time, when you mentioned it, the most common response was, 'What?'"

One thing that may help raise awareness of BS7799 is the fact that the Data Protection Act mentions it; implementing BS7799 could help you establish in a tribunal or court that your company hadn't been careless with other people's information. But that's assuming people are taking notice of the Act itself.

CFOs and FDs
Stereotypically, heads of finance are not interested in any proposition unless there is a quantifiable return. While some vendors believe they have encountered this attitude, the finance community counters that, on the contrary, financial directors are aware of the issues surrounding information security. "FDs and directors are very interested in identifying and evaluating risks that affect their businesses, and in taking relevant steps to counter those risks," says John Court, head of the IT faculty of the Institute of Chartered Accountants in England and Wales.

As usual, the problem partly lies with security people telling their story the wrong way. "Sometimes, security specialists think about the subject from a purely technical point of view instead of relating it to the business as a whole," Court observes.

Once again, BS7799 could be helpful. Birmingham-based computer audit and security consultant Dick Price says: "BS7799 is a superb way to get the message across in a way that FDs can understand." Price needs it because he still encounters financial directors who dismiss information security and IT as an overhead. "Some have risks staring them in the face. The phrase 'trading recklessly' comes to mind."

Are there any areas where security propositions can be seen to deliver measurable returns as opposed to reduction of risk? Well, one area where they can is in making your company more attractive to customers or partners, and so bringing in more business. "Companies like BT and the Halifax are using security and consumer trust as marketing differentiators, putting out adverts with the message, 'We're more trustworthy and secure than our competitors,'" Rathmell says. The marketing director could become your ally here.

Some technology measures can be sold on the basis that they enhance productivity as well as securing information. Wray puts forward the example of products to enable secure remote working. "If you give the workforce the flexibility to work anytime they can get on to the Internet, you're potentially going to get more work out of them."

Enrique Salem, senior vice president of products and technology at Oblix, has additional examples. "Facilities like single sign-on are as much about productivity as security. If you have to remember a dozen passwords, you're going to spend a lot of time calling the IT helpdesk to get a new one. And, if, as statistics suggest, it takes [a new member of staff about] 12 days before they're given access to the systems they need, there's scope to increase productivity by automating the process."

Financial people are going to be keenly aware that risks need to be addressed at the right level. No company can afford to plug every gap, so it's important to put forward the solution that's appropriate to the company's situation. Liddle says: "We can roll out PKI solutions cheaply and quickly. If a company complains that it can't interoperate with someone in Lower Mombassa, our answer is, 'Why worry at the moment when you have no business need to do it?'"

IT & e-business directors
The IT department certainly understands the need for security technology, but it's not always motivated to promote it. Davies explains: "Security is just not seen as sexy. How big a pay rise will the IT director get for delivering a firewall?"

Putting forward a proposal for security expenditure can place technical people in an embarrassing quandary, points out Wray. "The other directors are liable to ask the IT director if the company's system is secure. Advancing the proposal can seem like an admission of incompetence." That's particularly true if previous security business cases have incorporated the over-ambitious claims of vendors. "Vendors sometimes encourage buyers to view something like a firewall as more all-embracing than it really is," explains Wray. "IT directors need to make sure the scope of each piece of technology is accurately understood. If you buy a lock for your front door you don't expect it to take care of the windows too."

E-business directors may see security as obstructing their projects and increasing time to market, warns Palma. "We have to educate them, too, about why security technology can be an enabling tool."

Security tools that automate manual administrative functions - or shift some of the work away from the IT department - are among those that appeal most to chief information officers and the like, says Salem. "Surveys show that password resets can cost companies between $200-$300 (£138-£207) per employee, per year. Giving employees the ability to do that work in a self-service fashion can reduce departmental costs."

But even when they're convinced themselves, IT people need to get over their fascination with gizmos if they're to communicate effectively with the rest of the organisation. Liddle says: "IT people still tend to go for the high-tech sell, telling the board all about 128-bit encryption, signing certificates and such, when what's really needed is a high-level statement of the proposal with a focus on the real business benefits."

A risk management framework along the lines of BS7799 can help to achieve the correct focus, but even then IT people may still have problems. "Even if they understand the terminology of impact analysis and so on, IT people probably aren't in the best position to assess exactly what information is vital to the business," explains Harrison.

However, he says, there are tools that can help build a risk profile and assess the cost of reducing the risk, as well as consultants queuing up to help bridge the communications gap between IT and the business.

If security is generally seen as a spanner in the works rather than a facilitator of e-business, it could be because people tend to present it as a separate area rather than an integral part of e-business. "Even with enormous e-business projects in major financial institutions, we still see security presented as an add-on," Cox says.

"The project can get as far as a beta release before someone asks, 'By the way, is this going to be secure?' At that point, security isn't part of the budget. Sometimes there are business functions that can't be offered because the security just isn't there," he says.

Cox says that savvier organisations, such as Scottish Enterprise, start to think about security right at the beginning of their e-business activities. That way, he argues, you can push your security strategy along with your on-line services, with minimal spend up front and more investment later, after the deliverables have started to appear. The benefits of security are the benefits of the programme as a whole, and you should never find yourself having to make a case for a piece of technology, such as a firewall in a vacuum.

Liddle recalls: "In the old days, firms used to take the project as far down the road as possible. Then they'd give it to the security people knowing that they'd throw their toys out of the pram, but it would be too late to do anything about it at that point. Now people are starting to realise that an e-business system without adequate security is like a car without wheels.

"What's needed is a balanced debate, not an attempt to close every security gap regardless of cost, but a pragmatic approach that views security as an integral part of the solution."

Graham Edwards, director of group fraud and security at Abbey National, says: "We evaluate each proposed security initiative carefully, getting the business lines concerned to comment on the level of risk that's being addressed. Because we already have a security strategy in place there's a framework for these evaluations. And we don't have to convince senior management of the need to spend money on information security each time because they're already convinced."

In these difficult times, one reason directors may be reluctant to spend money on security technology is that they simply haven't got that kind of money to spend. It's sometimes alleged that the only cheap security technology is the kind you can't afford to get working because it's so hard to implement.

Richard Ellis, founder of onefootball.com and former chief executive of Digital Sport, says: "We implemented security technology - particularly to address theft of our content - but it can be difficult for smaller organisations to spend what amounts to tens of millions on a below-the-line expense."

It seems the best solution to catching the eye of executives would be for the industry to come up with more affordable solutions.

When the push for security goes inside out
Executives may soon find themselves under increasing pressure from outside the company to take security more seriously. Spurred on by initiatives such as the Turnbull report on corporate governance, company auditors will be bringing information assurance to the attention of financial directors and the board.

Andrew Rathmell, chief executive of IAAC, says: "They've done this in the US and now we can expect to see the Big Five firms and other professional institutes drawing up similar guidelines here."

Insurers, too, could supply both positive and negative incentives to grab the board's attention, refusing to cover organisations for certain types of risk or offering reductions in premiums for those with good information security. Security proponents may soon be getting valuable reinforcement, too, from corporate business partners. B2B e-commerce means that companies are soon likely to pressurise each other to comply with their security requirements.

Alan Liddle, technology director of Trustis, says: "One of our customers supplies software to banks, and banks won't buy anything from anyone until they're satisfied with the security of the suppliers' own systems." The Internet has made it easier for companies to put pressure on their suppliers because it's now so easy to switch suppliers.

So, which security standards will companies apply to each other? They may look for compliance, or certification against BS7799, or alternative European standards. Or companies and industries could impose their own.

Read more on Antivirus, firewall and IDS products