Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How CIOs are making security an enterprise necessity

Martha Heller | Dec. 3, 2012
Information security is often seen as more trouble and cost than it's worth. Until it fails. How can CIOs truly make it part of enterprise risk management?

So, a guy walks up to another guy who is clapping. The first guy asks, "Why are you clapping?" The second one answers, "To keep the alligators away." Confused, the first guy says, "But there are no alligators around here." And the second says, "See? It's working!"

Such is the situation that many CIOs find themselves in when selling IT security to the executive committee. "When the CIO says, 'I'd like to spend this amount on security,' it's rarely, 'Are you sure you're spending enough?'" says Steve Rubinow, CIO of FXall, an electronic foreign exchange platform. "Instead it's, 'We haven't had any problems; maybe you're spending too much!'"

The ROI Paradox. Perhaps the clearest aspect of the IT security paradox is this: "There is no easy ROI on security." And, says Rubinow, you cannot guarantee that your systems are 100 percent secure. Plus, security threats can be subtle, with countries targeting intellectual property, not customer data.

With no real security emergencies at his own company, Rubinow leverages news of breaches elsewhere in his industry. "I don't wish a security crisis on anyone," he says, "but when it happens, I say, 'OK, team, let's get out the security PowerPoint; we have a window of opportunity.'"

Like most financial services CIOs, Rubinow also brings in a rotating set of consultants to execute penetration tests and benchmark his security investments against his competitors'. "If we brought in our peers from other organizations, would they view our investments as reasonable?" he says. "Would an objective set of eyes say we are spending the right amount?"

The Product Paradox. For Mike Rosello, VP of IT and operations at Alliance Data Systems Retail Services, the paradox lies in the trade-off between market competitiveness and security. "We are in the business of managing data, so strict security is an absolute must," he says. "We need to have effective security protocols while also staying competitive with our capabilities in the marketplace."

The solution is to have security staff on the design team, which is especially important because different proposed solutions bring with them different security concerns. "You don't want the security team telling the business why they can't get what they want," Rosello says.

This means coaching the team on a skill that may not be innate. The more your security team can educate the business and sell security services to them, the more effective that up-front conversation with the business will be.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.