Marketing IT to the business: Part 2
- 15 November, 2011 15:44
- Comments
Selling security
One issue long under the spotlight has been the vulnerability of companies’ data to hacking attacks.
“The recent attacks on Sony by ‘Hack Anonymous’ did not have any financial value to a cyber criminal,” Price says.
“The aim was to embarrass organisations by exposing how lame their security really was. But, of course, the boards of companies don’t understand the implications of this. They may hear about cyber but they really don’t know what they mean, because it’s not their area of expertise.”
Not that anybody these days can really prevent their company from being hacked. The best you can do is to detect an intruder, find out what they took and minimise loss. In fact, according to Price, anywhere between 51 to 99 per cent of “companies of significance” are already infected by malware that is sending information from or allowing an external party access to their IT systems. More reason, he maintains, for CIOs to identify mission critical data and to understand it from the board’s perspective; namely in terms of potential revenue loss, reduced productivity, reputational damage, share market impact, and loss of consumer confidence.
To achieve such an integrated enterprise view of information risk, Price says it’s time for CIOs to become more proactive in working with risk professionals. The upshot, he says, will be an enhanced standing of ICT at board level.
“Certainly in situations where there is no chief risk officer and the CFO looks after marketing and credit risks, operational risks should fall to the CIO,” he says.
“This is key to CIOs gaining an integrated enterprise view of risk and the elimination of organisational gaps in responsibility. It’s those gaps that the bad guys find and attack. It’s not enough to go out and buy widgets when you need them.
"Instead, there has to be an information security management framework incorporating policies and standards that people understand and are held accountable for following. Then, of course, CIOs have to architect systems such that they know the value of the information that traverses or is stored on them.”
In other words, integrating IT and information security risk management into the greater enterprise risk management needs to become a CIO imperative. One of the best ways for CIOs to obtain executive buy-in is to map the organisation’s key performance indicators (KPIs) against key risk indicators (KRIs). Because all organisations have a strategic plan, the board and company as a whole will understand KPIs, and that is the context in which KRIs need to be measured.
“Selling security or IT to a board is the same as selling anything to anybody,” Price says.
“It’s about finding out the problems they have — the needs and wants of the ‘buyer’ and providing a solution that satisfies them.”
The key, he says, is a clear explanation.
“The board understands risk, but they may not understand the IT and information security implications because to date we have not done a very good job of explaining them in terms they understand.”
Patey adds: “It’s true that in the recent past we’ve seen a significant increase in hacking and the risks associated with data loss. However, CIOs play an enormously valuable role in being able to build solutions and implement policy and procedure to reduce the risks associated with that.
The key is being able to protect through solutions that will not devalue or slow down the organisation or detract from its ability to profitably deliver services.
“It’s important not to become a doomsday prophet. Instead, you need to be able to highlight the fact that certain risks exist today, the consequences of those risks on businesses that have experienced them (such as Sony), and what can be done to prevent or mitigate them.
"Obviously you do not want the board or leadership team to become familiar with those risks by living through an actual event.”
Read Marketing IT to the business: Part 1. Read Marketing IT to the business: Part 3.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Apple aims iPads at High Schools
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Google Jumps Into Social Bookmarks Game
-
NBN build gaining momentum daily: Quigley
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Backup and Recovery as we Know it is Changing
Increasing complexity in the data centre, including the rapid deployment of virtual servers, ever-expanding compliance requirements, and increasing amounts of sensitive data on mobile devices has put more strain on backup and recovery. Read on. -
Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers
For years, the data centre industry has accepted that human operational error, not poor data centre design or engineering, is the number one cause of data centre downtime. Now is the time for companies to evaluate their data centre operations programs. They must be able to clearly articulate operational requirements and design an operations program based on the risk profile of the data centre. However, the road to creating an industry-best operations program will not be easy, especially for those companies whose core expertise is not in business critical facilities. Read on. -
HP and Closed Circuit Print Security Podcast featuring Quorcirca
Managing Security risks within Enterprise printing environments
-
Computers for Seniors for Dummies, 2nd Edition
-
Office 2007 for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Microsoft Office
-
Windows 7 for Dummies® Dvd+book Bundle
-
Teach Yourself Visually Windows 7
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies®
-
Windows 7 for Seniors for Dummies®
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment