Raise the profile of security's risk management potential

The name "Paul Moore", ex-head of risk for HBOS, is not synonymous with information security, but perhaps it should be.

How can security play a central role in enabling business growth?

The name "Paul Moore" is not synonymous with information security, but perhaps it should be, writes Raj Samani of ISSA UK.

Previously head of risk for HBOS, Moore told the BBC's Newsnight: "The bank was moving too fast and I raised those challenges very strongly at board level. I also raised issues of cultural indisposition to challenge and inappropriate behaviours."

He added the HBOS story was like the "Emperor's new clothes", with no one prepared to "step out of line" and say what was going wrong.

Moore was made redundant following a restructuring.

Michael Bolton, another former HBOS executive, told BBC Radio 4: "Any bank chief executive pre-August 2007 that turned round to its shareholders and said profits and growth are now no longer the most important, it is now a more balanced approach - how many of those chief executives would have still been in their job with that sort of strategy?"

Being the bearer of bad tidings, such as risks to a business, is not enjoyable. If the business wishes to improve the bottom line through an e-delivery solution, for example, there is usually trepidation when seeking security sign-off. Such an environment is not sustainable; neither is one in which, as Moore put it, people "fear of stepping out of line with the rest of the lemmings who were busy organising themselves to run over the edge of the cliff".

Managing risk involves a number of options, and these go beyond simply rejecting the risk. The adage of designing security into a solution means that the bolt-on sign-off is avoided, as is the confrontation between who has the most senior management support. Controls exist to reduce risks to an acceptable level, but by working collaboratively this not only becomes viable but also produces solutions that improve the business and are secure and cost-effective.

Ultimately, changing the perception of security value is key. Although security professionals understand the value, this view is not often shared with the business. Precedent is a tremendous method in demonstrating value, as is being able to quantify the ROI, but it relies on someone communicating value effectively and bridging the gap between technologists and the business.

Read more expert advice from the Computer Weekly Think Tank >>

Read more on IT risk management