IT security has the potential to impact a business at every level. Few other business areas, if any, have the potential to damage customer relations, disrupt supplier dealings, lower employee productivity, lose revenue and even lead to the arrest of the CEO.
And yet for many organizations, there is little visibility of IT security at board level, meaning that executives can have limited or no understanding of this critical issue. IT security is an essential topic for discussion and has certainly earned its place on the boardroom table, but for CIOs to be truly effective, they need to become effective translators of what IT security dangers mean for the business.
The IT threats facing both small and large businesses are too numerous to list, and are becoming more and more sophisticated every day. McAfee's annual Virtual Criminology report has plotted the growing involvement of organized crime online. It has shown there are alarming consequences to face for the industry as threats become money-motivated, and businesses are faced with the prospect of theft or even extortion online. Already this year we have seen a fraud uncovered at a Swedish bank with Russian cyber criminals stealing 8 million Swedish Kronor from the bank's customers, and no doubt there have been other attacks which have gone unreported.
Ensuring information integrity
IT lies at the heart of virtually all business processes. Threats which target the IT systems that underpin business functions, or vulnerabilities within these systems, have the potential to wreak havoc on a business. And as information (or data) itself becomes a core business asset, IT security is at the frontline in terms of assuring its integrity.
For the larger business, compliance is now a critical issue. Regulations from Sarbanes-Oxley to HIPAA to BASEL II and the Data Protection Act are very prescriptive when it comes to the integrity of data held by businesses. Failure to comply with these regulations can result in large fines, or potentially even jail terms for the business and its executives. New disclosure laws introduced in the US, and soon to appear elsewhere, force businesses to publicly announce when customer data has been compromised. The impact of this disclosure has in some cases been so severe that the company has gone out of business.
Most executive boards are undoubtedly aware of the importance of IT security to protect their business. But how many really understand the issues involved? News reports may highlight the latest threat or piece of malware but this means little without the context of what the specific vulnerabilities are for a business, particularly in relation to core assets. The board may set in place policies for the safe treatment of company data, but do they have any visibility over whether these policies are being enforced?
Speaking security in business terms
Undoubtedly many businesses do recognize the importance of IT security and that it is indeed a board-level issue with representation from the CIO. However, there is still a significant portion of companies where the CIO reports into the CFO or CEO and, although a board room subject, IT security has no direct representation from someone who is living and breathing the issues. For example, a report produced by the London School of Economics, commissioned by McAfee, found that 40 percent of CIOs within the financial services sector report in to the CEO.
However, while IT security may merit direct representation at board level, CIOs need to earn the right to engage in those board-level discussions - which means presenting IT security in a way which is meaningful to executives.
The board has no interest in how many emails are scanned each day or which version of the firewall software has been installed or what the latest Microsoft vulnerability is. To have credibility at board level, the CIO needs to speak the language of numbers rather than bytes. In the same way that the CFO presents the P/L figures for the business, the CIO needs to provide demonstrable metrics regarding IT security risk and conformance to compliance.
Take the example of a credit card company. The security of the systems that house customer data is critical from both a business and compliance perspective, and it is therefore crucial that the board has visibility over the security of these systems. A breach of security in any of these systems could undermine customer confidence irreparably, resulting in lost revenue or regulator action. The CIO must be able to clearly demonstrate the safety of these systems or provide a business case if additional resources are needed to achieve an acceptable level of risk.
As such, the key questions for the board are: What is the current level of risk to the business? Is this level of risk acceptable? If not, how can we reduce risk, what is the timeline to do so and how much will this cost? These are the questions for which the CIO needs objective metrics in order to demonstrate that either the level of risk is acceptable or that additional resources are required.
In an ideal world, IT security strategy should be set by the board at the behest of the CIO. The CIO therefore secures vital board buy-in and the resources necessary to achieve the acceptable level of risk. Ultimately, the role of the CIO is becoming more about conveying to business colleagues the importance of IT and its security and about evolving strategies that drive the business.