If you´re responsible for security, your organisation isn´t the only thing you´ll be busy defending against attack. The assault on your budget is likely to be just as determined.
Your peers – the heads of manufacturing, R&D and a host of other departments – will be competing for the money that´s available. They´ll be lobbying hard, claiming their proposals are the most deserving of investment – those that will deliver the greatest return.
At the same time, those in charge will want to be sure the money they have already given you is being spent well. They´ll expect you to be able to account for every penny, and they´ll want to know exactly what they got in return.
So how do you respond?
Given the challenges you face elsewhere it´s tempting to go for a simple answer. “It´s like insurance,” you could say. “It´s something you have to have, just in case. You never know what might happen. It isn´t costing you any more than the company next door, so it must be the right amount to spend.”
It´s certainly a good idea to compare your approach to others. Indeed, the British Standard for Information Security Management Systems, BS7799-2 recommends you regularly benchmark your security against those of similar organisations and industry as a whole.
And the argument that it´s something you simply have to have is also valid. After all, it´s a bit like having a burglar alarm – if everyone else in your street has one and you don´t, the probability is that the burglar will attack you.
Unfortunately, though, such arguments aren´t sufficient. To secure the money that pays for your defences, you need a clear and compelling business case that´s based on up-to-date facts.
Facing up to risk
To ensure everyone is clear what is at stake, you need to be able to relate the individual risks your organisation faces to its business priorities – things like customer satisfaction and profitability. Which matters most to the organisation´s success? And what level of risk is appropriate in each area? Taking customer satisfaction as an example, how long would it be before a loss of email or phone service caused a problem?
You´ll have to work out what the situation is in your business. There´s no such thing as a universal answer when it comes to security, so you really do have to consider each aspect of your operation, identify the risks you face and decide what´s acceptable. And remember – organisations also face big risks if they fail to put appropriate internal controls in place and secure key documents.
The Sarbanes-Oxley (SOX) Act of 2002, for example, requires organisations to undertake ongoing reviews and assessments of the effectiveness of their internal controls. Because e-mail, instant messaging and texting (SMS) are now considered to be viable ways of taking orders, dealing with contracts and discussing sensitive financial issues, the Act also requires them to be archived and kept accessible for years to come.
The penalties for failing to operate in accordance with such laws can be severe – including substantial fines and even jail sentences – so it´s foolish in the extreme not to consider and manage such risks.
Ultimately, you need to be able to associate a cost with each threat. That requires you to quantify its probability – the number of times each month an incident will occur, on average – the cost of remedial action and the cost of loss of service. The latter will vary depending on the security team´s speed of response to the incident, so it´s also important to report such information.
For example, an incident might impact the entire company for five minutes every month, or just 10 per cent of the workforce for half an hour. Which is most important will depend on the value of the work involved. If the 10 per cent are those who take orders from customers, the less widespread incident could well be the one that requires the most urgent attention.
When it comes to assessing the performance of an organisation´s employees – in terms either of their level of understanding of your security policy or of their conformance to it – tests and spot checks can be important sources of information, as long as you remember they can only tell you how well your security measures are being implemented, not how effective they are.
For example, a random sample of employees can be asked to complete a questionnaire or a simple online ´exam´ each month, and the results analysed to show how well they understand what´s expected of them and identify any areas of weakness that need to be addressed by future communications.
Spot checks are more expensive to conduct – mainly because they require security teams to get out there and make their presence felt – but that has the valuable spin-off benefit of visibly reminding employees about their security responsibilities.
Obviously, all the data that´s gathered needs to be accurate if it´s to be of real value. This is relatively easy to ensure where data is collected automatically by systems and processes but, in other areas, it´s important for employees to feel they can report any security incident in confidence. This includes both real incidents, such as the theft or loss of a laptop, and potential incidents that may involve suspicious behaviour by a colleague or manager.
The problem comes, of course, when the number security incidents reported is none. For example, if none of the PCs inside an organisation has been infected by a virus, does that mean the organisation is spending too much on this aspect of security? Like insurance, it´s great if you never need to make a claim, but equally you don´t want your policy to be based on an inflated assessment of the risk.
This makes it important for everyone to feel that the security challenge is being tackled thoroughly and professionally, and to be clear about the basis on which investments are being planned.
This is one area where a standard solution is the best answer. It is important for any organisation – and its suppliers – to achieve certification to internationally recognised information security standards such as ISO17799 and BS7799. Far from being bureaucratic milestones, these set out realistic business-like frameworks that link key stakeholders and security professionals, align policies and investments with known risks and ensure that precautions are refined based on their performance.
Once you have all the data to hand, good communications and clear responsibilities are essential. Because of the complexity of the security issues that can face a multi-national company, it´s best to put all the necessary expertise under a single umbrella – even though functional managers may be located in different parts of the world.
Yes – you´ll find it a big challenge to identify those measures that best help you understand your performance in the areas that matter most to your organisation, but it is well worth the effort. And remember – it´s important to be selective – in an area of business where quick response and decisive actions are essential, a few summary indicators are often better than a fog of detail.