Information security is often seen as more trouble and cost than it’s worth. Until it fails. How can CIOs truly make it part of enterprise risk management?
By Martha Heller, CIO
30 November 2012
CIO — So, a guy walks up to another guy who is clapping. The first guy asks, “Why are you clapping?” The second one answers, “To keep the alligators away.” Confused, the first guy says, “But there are no alligators around here.” And the second says, “See? It’s working!”
Such is the situation that many CIOs find themselves in when selling IT security to the executive committee. “When the CIO says, ‘I’d like to spend this amount on security,’ it’s rarely, ‘Are you sure you’re spending enough?'” says Steve Rubinow, CIO of FXall, an electronic foreign exchange platform. “Instead it’s, ‘We haven’t had any problems; maybe you’re spending too much!'”
The ROI Paradox. Perhaps the clearest aspect of the IT security paradox is this: “There is no easy ROI on security.” And, says Rubinow, you cannot guarantee that your systems are 100 percent secure. Plus, security threats can be subtle, with countries targeting intellectual property, not customer data.
With no real security emergencies at his own company, Rubinow leverages news of breaches elsewhere in his industry. “I don’t wish a security crisis on anyone,” he says, “but when it happens, I say, ‘OK, team, let’s get out the security PowerPoint; we have a window of opportunity.'”
Like most financial services CIOs, Rubinow also brings in a rotating set of consultants to execute penetration tests and benchmark his security investments against his competitors’. “If we brought in our peers from other organizations, would they view our investments as reasonable?” he says. “Would an objective set of eyes say we are spending the right amount?”
The Product Paradox. For Mike Rosello, VP of IT and operations at Alliance Data Systems Retail Services, the paradox lies in the trade-off between market competitiveness and security. “We are in the business of managing data, so strict security is an absolute must,” he says. “We need to have effective security protocols while also staying competitive with our capabilities in the marketplace.”
The solution is to have security staff on the design team, which is especially important because different proposed solutions bring with them different security concerns. “You don’t want the security team telling the business why they can’t get what they want,” Rosello says. This means coaching the team on a skill that may not be innate. The more your security team can educate the business and sell security services to them, the more effective that up-front conversation with the business will be.
The IT Paradox. Security can’t be only IT’s problem. “When security is discussed as an IT issue, as opposed to an issue of business risk, it is often an unbudgeted afterthought,” says Mark Silver, divisional information officer at Siemens Healthcare. “But if something goes wrong, it is not IT alone that is held accountable. When I speak with CFOs, I remind them that ROI also stands for ‘risk of incarceration.'”
CISOs, who Silver believes should report to CFOs or chief legal officers, need to align their approach with the company’s overall risk profile. “Are you bullish? Are you heavily regulated? Is your profile changing?” asks Silver. “If the SEC is starting to fine your competitors on a certain activity, your risk profile has just gone up.”
Once a CISO determines the risk profile, they need to make information security systemic to the organization. “As we start any project, we consider time, resources and quality,” says Silver. “It is not a stretch to add information security to quality considerations. By making security core to your project management methodology, all of the stakeholders assess whether the project matches the risk profile.”