Strategy clinic: How to win over business leaders to enterprise-wide data security

Our panel of experts offer advice on IT management dilemmas. This week: gaining a managing director’s commitment to system security

The issue: A data security policy risks failure from lack of buy-in at the top

The question: Our managing director fails to understand the importance of an effective data security policy across the company. How do I get her to understand that security is not simply a technology issue but one that she needs to be seen to be putting her influence behind?

Security is important, but be sure to assess costs accurately

First, you need to recognise that your managing director’s reasons for agreeing that a data security policy is important may turn out to be different from your own, or from those offered by ITsuppliers.

Second, you should consider the extent to which she may well be right.

Anyone running a company is likely to agree that data security is, in principle, an important thing to have. But if it costs money or requires people to change what they do, then it is valid to ask exactly what level of security is appropriate and how it can be achieved as economically as possible.

It is perfectly proper for a managing director to want to minimise investment and disruption for something that will protect the company’s value to customers and shareholders but is unlikely to create any new value.

If the proposed policy is targeting areas of specific importance and vulnerability for your business, and it is economical to achieve, then there is a good chance your managing director will back it.

However, given that she may assuming, incorrectly, it is just a technical issue, you need to think about who should propose it. If she sees you as mainly representing the “T” rather than the “I” in IT, then any proposal you make may also be seen in this light, and the most senior person who looks after compliance in your company may be better placed to achieve a successful outcome.

Chris Potts, Dominic Barrow

Chris Potts is director of Dominic Barrow, which specialises in helping businesses focus IT management on maximising business value.


Approach the issue from the perspective of business risk

I am presuming that your policy requirement is just one element in a business-wide security strategy that encompasses people, places and processes as well as IT.

If this is not the case, then it needs to be. And that means getting all the relevant parties (human resources, facilities management, finance and legal included) on board to create a business solution to a business issue.

Leave out the technical terms, and approach the issue instead from the business risk perspective. This means targeting specific business fears such as brand and public reputation, legal obligations, “threats” and penalties, and the impact on the bottom line.

Illustrate your argument with case studies and facts and figures, which are available publicly.

Have your business create a security policy group – including business representatives and  board “champions” – to sponsor and devise policies that address your business requirements, including information and data. Within this group you can advise and educate from the IT viewpoint.

This is not so much about “putting influence behind” as ownership and accountability. The risk must be understood, for the importance to be appreciated and it needs to be led and managed from the top to be implemented effectively.

Ollie Ross, The Corporate IT Forum

Ollie Ross is head of research at The Corporate IT Forum, a CIO networking group that seeks to help large IT users deliver better value from corporate IT


Remember that your boss may be intimidated by the subject

A security breach has the potential for significant business impact, with the consequences being felt by senior management.

A very serious security breach can cause loss of revenue if systems are not available. There is also the possibility of damage to the company brand, legal action if the company has failed to comply with legislation and litigation for its failure to protect partner organisations.

Corporate governance is a key requirement of a well-run organisation, and information security is a key element. Organisations are judged on their ability to lead, monitor and measure, and if your managing director is not showing ownership, she is failing in her role.

It may be that she is concerned that this area is outside her skillset and finds the subject intimidating. Offer to present a short paper about what it involves, explaining that her role is to act as a sponsor and leader – she does not need to understand the day-to-day detail.

You need to explain that information security involves the board recognising, managing and owning risk. This brief is wider than that of data security.

Your approach should be a combination of explaining the possible consequences of ignoring security, while offering a solution that shows her how the situation can be addressed by the board. 

Roger Rawlinson, NCC Group

Roger Rawlinson is director of IT consultancy at NCC Group, an independent provider of IT security, assurance and consultancy services


Maintaining customer confidence is the crucial starting point

There are two parts to getting the message across to your managing director. One is to do with the breadth of what information security is about, and the second is how you manage to persuade her of the importance of this area.

To start with, I would emphasise the reasons why information security is critical to the business. There is the risk of loss of confidence from clients; the legal risk; and the potential for fraud and theft of information assets. And there is the downtime workers incur through viruses and other interruptions arising from security breaches, and the cost in time to put things right.

Then I would take her through what is involved. As well as the technical issues about back-ups, firewalls and anti-virus systems, you need to have processes and policies for safeguarding data security. Policies need to cover the confidentiality of information; compliance with laws and regulations; risk assessment; user computer policies; and data protection and privacy. Named people need to be responsible for these policies, and you also need a robust business continuity plan.

Finally, I would return to the issues of client confidence. Custom­ers need to be sure that their information is being kept securely. If they do not have this confidence they will lose faith in your business and this could be very damaging.

Ben Booth, BCS Elite

Ben Booth is chairman of BCS Elite, a forum for IT directors and senior managers to discuss how to manage IT to achieve business objectives


Marshall the arguments and statistics to make your case

Information and data security is a general business topic nowadays, so it is surprising that your managing director takes this attitude. However, compromised businesses are reluctant to publicise the fact, so she may be saying to herself, “I haven’t heard of anyone going under, so why should I worry?”

But it has been widely reported that many firms that lose their data go out of business because of the disruption, the time it takes to recover and loss of client confidence. Find this information and use it to influence your managing director.

One of the problems of running a secure (so far) high-availability operation is that management comes to think of it as the norm. Reasonably enough, your managing director expects you to make sure the right physical safeguards are in place and that your department is adhering to them. You must have statistics about the number of external attacks thwarted each day – the sheer number is likely to be impressive.

What she may not realise is the extent to which your systems can be compromised by non-adherence to the rules you must have established. Draw up a briefing note, in boardroom English, that explains the various ways your systems could be compromised, why you have rules to prevent this, and why it is important that she ensures compliance with those rules.

Your business may be in a chain that ultimately supplies a regulated or compliance-driven organisation. Such organisations are exerting pressure for demonstrable business continuity plans and high-security practices. This is another route to investigate and brief your board.

Robin Laidlaw, Computer Weekly 500 Club

Robin Laidlaw is president of the Computer Weekly 500 Club, a networking forum for CIOs, and was formerly IT director at British Gas


Use the issue of regulatory compliance to get information security message across

Effective data security helps reduce operational and reputational risk, but explaining this is not always straightforward. The business impact can be significant, so it is important that you engage your managing director in the context of her business priorities when you discuss data security.

Media reports of data security incidents could help you to bring the risks to your organisation’s reputation to life, and be a powerful means of emphasising the immediacy of operational risks and brand impact.

Regulatory compliance is likely to be high on her agenda. Compliance affects organisations in different ways, but most has an impact across organisations and their employees. Basing discussions on the activities required to ensure continued compliance is a means of expanding the issue of data security and broadening her understanding.

Once you have established a common understanding, outline clearly to her where you need her influence and support. Winning her visible support for the data security policy should be a pivotal step.

Other organisational levers in your managing director’s grasp may include taking the decision to align performance management criteria with data security control compliance. This sends a powerful message that data security requires significant and continuing management attention.

An effective data security strategy is likely to include significant technology investment. If you have taken the time to engage her at a business level, you should find subsequent discussions and decisions about technology needs and investment will be less frustrating and more productive.

Christian Roberts, Ernst & Young

Christian Roberts is senior manager for technology security and risk services at professional services company Ernst & Young


Show security is a vital factor in competitive edge

You are right to position this as a business rather than a technology issue. The question is how you engage the managing director. You do not indicate which approaches you have already tried, but you may want to consider different inputs.

There is considerable practical research material available that will provide both you and the managing directorwith ideas about the benefits of information security and how to achieve them. This will give you the arguments to consider information security as an aid to potential competitive differentiation.

You can also show that information security is as much about people as about technology. Recently an IT director in the US was jailed for eight years, having stolen more than a billion data records of his client’s customers by hacking into computer databases to illegally obtain passwords etc. You may consider sharing this story a high-risk strategy, but it might get the point across.

Ultimately you need to be clear about why the managing director needs to be involved and what you specifically want her to do.

Sharm Manwani, Henley Management College  

Sharm Manwani is head of information management at Henley Management College. He has also held IT director roles at two multinationals

Read more on Privacy and data protection