Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Showing executives the importance of information security

Learn how metrics, business resilience and Six Sigma can be used to prove the importance of information security to executives and shareholders.

Like many of you, I've discovered that security has become cocktail party conversation. Inevitably, when I mention what I do for a living, people respond with something like, "Wow, business must be booming!"

Yes, security is getting more media attention, but that doesn't necessarily translate into bigger budgets or, in the case of consultants and security vendors, more revenue. I've spent the better part of the last year trying to figure out why this disconnect exists, and I think I have the answer. In spite of everything that's happened, and no matter how hard we push, information security doesn't matter.

Now, before the infosecurity mafia comes to revoke my credentials, let me clarify. Sure, security matters, especially to security pros. But most senior executives at Fortune 500 companies think about security in terms of physical security and business continuity, with a passing interest in computer security. There are obvious exceptions, but information security has yet to become the boardroom issue we'd hoped it would.

Our security-centric view of the world often comes at the expense of the business itself.

Why? Because we think of ourselves as security practitioners first, technologists second and businesspeople third (if at all). We consider our jobs extremely portable; whether we work for a bank, a pharmaceutical company or a consulting firm -- the job is pretty much the same.

The problem is that our security-centric view of the world often comes at the expense of the business itself. For years, we've been saying that the goal of security is to protect the assets of the company. But if we truly had the objectives of the business at heart, the goal of security would be to ensure the company's ability to grow and fulfill its mission in the face of a changing risk environment. To do so requires us to think of ourselves as enablers of corporate strategy, as opposed to "defenders of the faith."

Roadmap to a mindset

The good news is that there are numerous tools at our disposal to help us execute on this strategy.

Metrics: Many CISOs claim that metrics serve no purpose in infosecurity, for two reasons:

  1. We don't have a way to measure qualitative things like policy development and awareness
  2. There are no quantitative measures of event occurrences, so we can't calculate statistics like annualized loss expectancy (ALE).

To both of these claims, I'll quote the eminent philosopher Snoopy: "Ptui!" We shouldn't care about risk incidence; we should care about the resilience of the business in the event of an exposure. Risk happens. Instead of trying to minimize the chance of it happening, we should focus on limiting its impact when it does.

Business resilience: You'd be amazed at a how simple a concept this is, and equally amazed at how difficult it is to see. There are a number of core things (processes, capabilities, characteristics, etc.) that drive a company's earnings and success. For example, in a service company, it might be the ability to maintain senior-level relationships or attract high-level staff. In a manufacturing firm, it probably has to do with supply-chain management. In each case, these items have an incredibly high "cost of failure" -- that is, the loss of that capability/process/characteristic would have a devastating impact on a company's earnings.

Yet, as we've seen with a number of companies, these earnings drivers are often underprotected while other areas are overprotected. In one case, a company was spending $50 million a year to protect a process that had a cost of failure closer to $8 million. Guess what? That company just found $42 million to be reallocated.

Six Sigma: General Electric, Motorola, Honeywell and others have spent years trumpeting the value of Six Sigma as a quality tool. Many companies have begun applying it to their business processes.

As the rest of the organization begins to think this way, CISOs need to look at how their internal security processes can be improved. I've seen Six Sigma applied to security operations, provisioning and even policy development processes -- often with dramatic financial benefits.

The sooner we can stop thinking of security as something that's "different" -- something that doesn't fit into the traditional business mold -- the sooner businesses will start taking us seriously. That time is now.

About the author: Anish Bhimani is a senior associate in the Global Assurance group of Booz Allen Hamilton and the author of Internet Security for Business (Wiley, 1998).

Article 7 of 8
This was last published in August 2003

Dig Deeper on Information security program management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Any executive that still needs to be convinced of the importance of information security must have their head in the sand. Look at all of the high-profile data breaches lately (I'm just speaking in terms of the U.S., where I live). From retail stores, banks, my health care insurance provider... so many businesses and consumers have been affected. 

From the company's standpoint, the damage control efforts are massive. From my standpoint, it's a huge inconvenience. I've had my card cancelled and had to sign up for credit monitoring services after data breaches. 

My own company is really focused on information security this year, too. For the wrong reasons. But it's still a good thing.

Get More Information Security

Access to all of our back issues View All