Business of IT: Building a business case for security

Security can be both the unseen hero and the weakest link in an organisation, so how do you make the case to spend enough to protect your organisation's most vital assets? Stephen Pritchard investigates...

"We're still seeing reactive spending to an extent, driven by the fear factor, or because the Information Commissioner or regulatory requirements demand it," says Richard Harrison, an IT security expert at PA Consulting. "Or a company might act, to protect its reputation or to protect itself from damage."

The first step is educate the CEO or MD on the importance of security. To be successful security has to be visible.

Advertisement - Article continues below

And businesses have been building what many industry insiders describe as "ever higher walls" around their IT infrastructure, not least because the board demands that IT does all it can to protect assets.

As Jay Huff, general manager for Europe, the Middle East and Africa (EMEA) of HP's ArcSight security division points out, that is not always the most effective approach. "The issue is that after decades of investment, organisations are still finding themselves pretty insecure. So senior management are asking for more formal business cases."

A business case, or a return on investment?

Security spending was one of the few parts of IT budgets that continued to grow during the recession. But both boards and IT directors are starting to scrutinise security spending more closely, to determine whether an increase in security spending brings with it, a proportional increase in safety.

Advertisement
Advertisement - Article continues below

"There's a gap between what needs to be done and what the C-level thinks needs to be done. C-level executives may not be aware of all the issues," warns Larry Ponemon, chairman of the Ponemon Institute. "The first step is educate the CEO or MD on the importance of security. To be successful security has to be visible."

Advertisement - Article continues below

Security awareness also needs to be combined with an understanding of the business' attitude to risk. As Dimension Data's Campbell points out, few businesses can now afford to protect every information asset with the same levels of security. In areas where the risks of attack are relatively low or the losses from an attack or data breach will be limited a lighter-weight, lower-cost security approach may drive a more robust business case.

"Security is, in some ways, like business continuity," says PA Consulting's Harrison. "The degree to which you want to invest in it depends on how much risk you want to take."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020