Security still a tough sell

At the recent Comdex 2002 in Toronto an entire track was devoted to security and biometrics. Though the talks were well attended, two common refrains were heard; “we just don’t have the money” and “management needs to be more on board.”

At one talk Simon Perry, Islandia, N.Y.-based vice-president of security solutions with Computer Associates International Inc., asked the audience if they had a lot of money to spend on security. No one raised their hand.

The theme of doing more with less, even in a post 9/11 world, chorused throughout the conference, with gripes about how chief marketing and finance officers never understood the real cost of security and the side effects when things go wrong.

“IT is so mission critical, it is the business,” said Glen Notman, managing consultant with Pink Elephant Inc. in Burlington, Ont. In his experience, most companies are not spending enough on security and tend to “react only after the horse has left the barn,” he said. It is usually the responsibility of IT to demonstrate how IT crashes and hacks truly hurt the business, he said. But this is a problem since IT often does not have the necessary tools to create the metrics which marketing and senior management can understand.

Paul Lewis, associate director, security, privacy and technical risk with Fujitsu Consulting in Toronto, sees the solution as a two-way street, with each side doing their part. It is IT’s job to demonstrate the cost to contain each corporate asset, be it an e-mail database or financial data, and the likelihood of it being compromised. It is marketing and management’s responsibility to calculate the intrinsic value of a security breech or loss of data in each area. The two groups can then come together to calculate the appropriate amount of money to spend to protect each sector.

Spending big money to protect a corporate e-mail system may seem like overkill, but if your proprietary research data moves about the company via e-mail, then it may end up being a drop in the bucket.

The first step, and one that needs to be driven from the top, is to change the corporate paradigm to one that is security-centric.

Lewis said it is important for management to understand that although IT is the means of the crime, the result of the crime is a business issue. Thus prevention must start with them.

“Security has to be part of the way you do business,” Notman said.

Adequate technology is one thing, but if senior management is not on board, it is no use, said Glen McLeod, an IT manager based in Ottawa.

And getting them on board is no easy task. Kelly Reed, IT director for Corning Community College in Corning, N.Y., said it is an uphill battle to get his superiors to understand security from more than a physical perspective.

Notman had a warning for those looking at solutions.

Often, when money is tight, outsourcing is viewed as the best option. Whatever you do, you can’t outsource the security management, otherwise you are at a huge risk of being at the vendor’s mercy, Notman said.


Need to convince your employer where and how your security work adds value to the business? Follow these tips:

1. Know your business: Know what’s critical to the business and adjust security accordingly.

2. Form alliances. Locating risk-sensitive data and systems also means building alliances with business managers.

3. Set standards. By blending business requirements with best practices, the security team can establish rules-based security standards for operating systems and platforms.

4. Bake-in security. Standardizing security rules can reduce the cost of providing secure configurations to other IT departments.

5. Don’t go it alone: Consult vendor services currently coming to market to help reduce administrative overhead for current security processes.