Most companies have an information security programme. They may even have a chief information security officer to protect their information-based assets, though most do not.
However, in many cases, the reason they have those programmes and information security executives may be somewhat disingenuous.
Many companies have those programmes in place to satisfy regulatory requirements or as part of good corporate governance. That is reason enough.
A business reason
But as business people shouldn't we be looking for a more business-related reason for such a spend rather than chalking it up as the cost of business?
Is there a business case for information security beyond regulatory requirements and good corporate governance?
I would argue there is a very good business reason for information security beyond the regulatory issues.
Weaknesses in the security of information systems have led to hundreds of millions of pounds being lost to computer-assisted fraud and a lack of confidence in buying online. Your customers will not use online services if they do not believe they are secure.
Many consumers cite security concerns, in particular identity theft, as their primary reason for not shopping online.
In most cases this attitude is reflective of the internet as a whole, rather than one particular company, though having a publicly disclosed information breach isn't helpful.
For the internet to reach its full commercial potential, we must instil confidence in consumers that their transactions and personal data are safe.
If consumers do not feel they can protect themselves and do not feel that we as suppliers can protect their data, they will not make purchases on the internet - or at least not in the volume they would if they felt protected.
We need to work to change that perception, so we may tap this under-utilised portion of the market. In order to do that, we must have the resources and executive management backing to develop security programmes that not only protect the company's assets but foster consumer confidence and add to the bottom line.
In addition to a sufficient information security programme, a way forward would be to utilise that programme from a sales, marketing and public relations perspective.
If a consumer is hesitant to buy a product online, they would be more likely to buy if they knew their prospective supplier was taking steps to ensure the safety of their personal data.
A marketing campaign surrounding the company's information security programme would not only enhance the reputation of the brand but add to the bottom line.
If you are not proactive about marketing your information security programme to your customers, your competitors might be.
Richard Starnes is a security consultant and president of the Information Systems Security Association
Have your say
If you have an opinion about this or any article in Computer Weekly, e-mail [email protected]
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats