Selling safety to suits

In tough economic times companies are constantly on the lookout for ways to cut budgets. As a result, IT sometimes finds itself managing the fort with far less than optimal technology.

But at a recent Toronto security conference, a discussion was held on strategies designed to get board members to think of security as an integral part of the overall corporate strategy.

“CEOs and boards are mandated…to look after the overall function of the company,” said Mark Parent, director of the information systems and technology division of the Ottawa-based Canadian Payments Association. “Why should they focus on security?”

It is IT’s job to get board members to “focus on the risk associated with a problem instead of focusing on the problem itself,” he said.

John Wilson, CIO of Toronto-based Clarke Inc., provided a few ideas on how to do this. He suggested calculating the cost of a worst-case scenario, and said IT managers should interview the business leaders of each pertinent corporate division in order to “understand their reliance on their systems.”

The next step, again talking to business managers, is to figure out the potential business impact (lost customers, sales losses, reputation damage) of losing system availability for a given time period. Wilson suggested dividing it into to three time frames: one-six hours, six-48 hours and 48+ hours.

The third step is to calculate the daily loss of revenue. This includes taking into account future business loss, which is done in part by figuring out at what point a current or future customer would be lost. For example, a B2B application down for eight hours might cause the loss of 30 per cent of current customers, but prompt 80 per cent of future customers to go elsewhere.

Different units will end up with wildly different thresholds and values for downed systems. An internal printing service might be able to survive for two days without e-mail or a Web server, while it would be corporate suicide to expect an e-commerce unit to be able to survive more than a few hours with the same affliction.

Once these values are calculated, they are ready to be presented to the board.

Board members must be persuaded that systems failures “have a direct reflection on the management of the company,” Wilson said.

But Parent warns against presenting too much detail at board meetings. “The details must be translated into a summary…CEOs and boards are busy,” he said.

Parent suggests a presentation of 15 to 30 minutes with executive summaries of no more than three pages. With respect to security, “focus on topics that appeal to them,” he said. This means talking about money – about how much a system failure could actually cost the company.