Selling security to the board

In tough economic times companies are constantly on the lookout for ways to cut budgets. As a result, IT sometimes finds itself managing the fort with far less than optimal technology.

At a recent Toronto security conference, a discussion was held on strategies designed to get board members to think of security as an integral part of the overall corporate strategy.

“CEOs and boards are mandated…to look after the overall function of the company,” said Marc Parent, director of the information systems and technology division of the Ottawa-based Canadian Payments Association. “Why should they focus on security?”

It is IT’s job to get board members to “focus on the risk associated with a problem instead of focusing on the problem itself,” he said.

John Wilson, CIO of Toronto-based Clarke Inc., provided a few ideas on how to do this. He suggested calculating the cost of a worst-case scenario, and said IT managers should interview the business leaders of each pertinent corporate division in order to “understand their reliance on their systems.”

The next step, again talking to business managers, is to figure out the potential business impact (lost customers, sales losses, reputation damage) of losing system availability for a given time period. Wilson suggested dividing it into to three time frames: one-six hours, six-48 hours and 48+ hours.

The third step is to calculate the daily loss of revenue. This includes taking into account future business loss, which is done in part by figuring out at what point a current or future customer would be lost. For example, a B2B application down for eight hours might cause the loss of 30 per cent of current customers, but prompt 80 per cent of future customers to go elsewhere.

Different units will end up with wildly different thresholds and values for downed systems. An internal printing service might be able to survive for two days without e-mail or a Web server, while it would be corporate suicide to expect an e-commerce unit to be able to survive more than a few hours with the same affliction.

Once these values are calculated, they are ready to be presented to the board.

Board members must be persuaded that systems failures “have a direct reflection on the management of the company,” Wilson said.

But Parent warns against presenting too much detail at board meetings. “The details must be translated into a summary…CEOs and boards are busy,” he said.

Parent suggests a presentation of 15 to 30 minutes with executive summaries of no more than three pages. With respect to security, “focus on topics that appeal to them,” he said. This means talking about money – about how much a system failure could actually cost the company.

The presentations should also focus on threat and risk assessment by showing the various levels of vulnerability (third-party data and software is available to help with these calculations) and their associated costs, Parent explained. The latter should be divided into both IT and business costs.

“Security is not about tools and technology it is about understanding what your risk tolerance is and how much risk you are willing to live with,” said Michael Murphy, Symantec Canada’s Toronto-based general manager.

Offering solutions that are fitting to the problem is also important. “Don’t create a Cadillac solution for a Chevette problem,” Parent said. And when you do come to them with solutions, try to find similar implementations close to home.

“[Executives] tend to pay attention more to businesses that are in their own industry,” he added.

IT also has to be careful when it sells security through fear. “The probability is the key,” Parent explained. Regardless how damaging a potential IT failure is, if the probability is one in a trillion, it is probably not worth mentioning.

Wilson also warned against going overboard with the fear factor. Too much fear and the board might slow down the implementation of external facing applications, he said.