Set HomePage - Favorites
HOT: Investing News
<-- AD960X90 -->0.0
Location: Home > INVESTING >

Making a return on IT security investment(2)

2017-06-18 18:31 [INVESTING] Source:Netword
Guide:Leach said privacy also needs to be understood. Youngsters on social networking sites don't necessarily think the information they are posting is intimate. They don't mind the people they elected as f

Leach said privacy also needs to be understood. "Youngsters on social networking sites don't necessarily think the information they are posting is intimate. They don't mind the people they elected as friends seeing that information, but they trust it won't be used in a way they don't want it to be used. Privacy is not about who has access to the information, it's about what people do with the information," he said.

Security as a business enabler

Alldrick said there are online services, such as home shopping, that could not have gone ahead unless security was in place.

"Security has to be part of the business case and an enabler, otherwise Visa or MasterCard would not be part of it as they would not take the risk as a merchant acquirer," he said.

Powley said if security becomes an enabler of the business, it is important that organisations are able to profile the people who use their services and deliver more targeted content.

"Knowing who the people are, making decisions based on who they are and having identity at the forefront of how information is used is key," he said.

Simon Kellow, security and compliance manager at the Care Quality Commission, said there are fundamental questions to ask when considering security as an enabler, "What is your information asset and who are you dealing with? The questions are who, what, where and why?"

Danny Hulligan, information security manager at law firm Hill Dickinson, said it is difficult to assess to what extent security enables business.

"As a law firm, we won't get business if there is no IT security plan, but you never know if that contribution is 5% or 100% towards achieving that business."

But not having adequate IT security can be a business disabler. Kempton, said, "The banking industry is full of people who will flog data. It is important to monitor activities and have a vetting process and an aftercare process or your Financial estate may not be there tomorrow."

Using the language of the boardroom

Trevett said, "If you walk into any boardroom, they understand the value of risk and how much they are prepared to pay for it not to happen. If we can phrase information security in a similar way, we can get somewhere."

He said that security professionals must be articulate, so that boardrooms understand that reputations are at risk if there are breaches, and security chiefs should explain why a profitable business objective will not happen if the organisation gets risk wrong. "Processes and procedures must be easy for users to follow," he said.

Stuart Ritchie-Fagg, senior information security analyst at Hermes Fund Managers, agreed that being direct is important: "Use layman's terms. Don't bore with IT spiel."

Caroline Holley, head of information governance at ONS, said IT security leaders must communicate what will go wrong without security. "It is important to think about risk and cost and explain to the board in a language they understand," she said.

Boardrooms understand the concept of competitive advantage and Powley said this can be used to make the argument for better security. Alldrick said that if an organisation boasts it is the best at security, it has an immediate impact on brand.

Leach said that risk is largely about perception and if you don't understand the assets in your organisation, risk is immaterial.

Allan Thomas, head of technology at insurer Hiscox, said that when talking to the board, "the lack of good data is a hindrance".

Toby Stevens, managing director of Enterprise Privacy Group, said, "It is important to know the board's ambition for security. For some boards their ambition will be to never talk to the IT security manager. Others will see security as a business differentiator."

BOX OUT Corporate considerations for IT security

Dr John Leach, independent research consultant at, was co-author of The Privacy Dividend, a report published by the Information Commissioner's Office (ICO) which makes the business case for protecting privacy and urges organisations to put a value on personal information.

Leach has worked on developing an return on investment for information security. "I am confident that a real hard business case can be made for protection of privacy; it is not just about the need to comply with the Data Protection Act," he said.

However, he said that there is "no one universal case", but each organisation must consider its situation by demonstrating the business benefits of privacy and its protection.

"Look at how security can boost revenue, increase take-up of services, reduce costs, improve resilience, decrease the security and compliance risk, and feed into real business benefits," he said.

However, Leach found that most organisations do not consider privacy based on a business case, but tended to fall into two camps - those that believe protecting privacy benefits the business and do it as "an act of faith", and those that do not believe in the benefits and are sceptical about the lack of data.


<-- AD690X200 -->
<-- AD250X250 -->
<-- AD250X250 -->
<-- AD960X78 -->