A recent major Kuala Lumpur IT security conference provided very useful insights into the increasing security difficulties that confront CIOs today. Consistently, the speakers were knowledgeable, passionate and articulate but, will these messages ever bear their desired fruit. Were we just preaching to the converted?
One speaker outlined what are likely to be the next wave of malware that will disrupt our IT operations. Another warned how viruses can spread between mobile phones. Then the final presentation explained why using laptop computers in wireless internet zones at airports and coffee shops could be a significant security risk. But, what would chief executive officers make of these messages? This is a real challenge for many CIOs.
When CIOs identify the most frustrating aspects of implementing IT security, high up on that list is the challenge of getting the support of the senior executive. A common complaint is that IT security is seen as an IT issue rather than a business responsibility. Yet, if we position IT security in a language that is only understood by the cognoscenti, then I fear we will only make this task even more difficult.
As I see it the problem centers on the tendency of the IT industry to present security in the context of having solutions to the challenges. The speeches at the conference in Malaysia tended to follow a common pattern. Firstly, they would outline an issue. Then they would explain how technology needed to be used to defeat these security difficulties.
The underlying message seemed to be that the CIO had to apply some toolset or other and then these problems would be defeated. Unfortunately, the likelihood is that new security problems will materialize to take their place. In the end the CIO taking a pure technology approach to IT security is left looking a bit like the cat chasing its tail. The desired goal will always prove elusive.
Not that the technology is being criticized, but it is a fact of life that complete security is an unrealistic expectation to set. As former US President Dwight Eisenhower once remarked, "complete security is only achievable inside a prison and then you have no freedom". If CIOs spend their time and efforts trying to ensure complete security, they will only fail. Moreover, they will also disappoint their business executive and add to the existing executive impression that IT never delivers on its promises.
Be security conscious
No country in the free world has probably been more vigilant about security than Singapore. Yet, a manhunt is now underway for a major terrorist suspect who fled from captivity in the island-state. This is a salutary example to CIOs that in the area of security, no plans are foolproof. Nevertheless, Singapore has established a three member Commission of Inquiry to investigate the escape to determine what went wrong and how this episode could be avoided in the future. Singapore has a strong security conscious culture and, in my mind, this is what businesses need to embrace if they want effective IT security. Like in Singapore, such a culture sees security as an ongoing learning process rather than a destination. However, to achieve this, CIOs need to determine how they engage business executives on the topic of IT security.
Above all, to get business involved, CIOs and their suppliers have to present IT security issues in a business context. The business is not interested in the specifics of malware. The challenges CEOs talk about relate to efficiency, growth, innovation, securing executive talent and customer loyalty and retention. No doubt that IT security has the potential to affect nearly all of these issues. Nevertheless, if the IT industry focuses on the technological minutiae of the security challenge most business executives will switch off. Instead IT needs to understand how to articulate the security challenges around IT in a language the business can understand. The technology issues are for the deliberations of IT staff only. The people who write the checks for IT security expenditure need to have the importance of the task explained to them in a different way.
Top three issues
Let me explain by referencing the work of The Conference Board. This global organization undertakes an annual survey asking CEOs to identify what they see as their current major challenges. The 2007 report lists the top three issues facing CEOS around the world as: excellence in execution; sustained and steady top-line growth and consistent execution of strategy by top management. More than 30 per cent of the 769 CEOs who responded to the survey identified these issues as top priorities for their organizations.
Vulnerabilities in IT security will clearly have an adverse effect on a business striving for excellence in execution. Fixing a virus outbreak or a denial of service attack will distract resources from other more important tasks. Similarly top line growth is achieved by an emphasis on fulfilling strategic goals. Operational issues like security lapses will not grow the business but they can definitely impede this objective. Security has a part to play in assisting with consistent execution of strategy because security considerations should be part and parcel of those strategy deliberations. In effect, the true case for an IT security investment is one of opportunity cost.
Business needs to understand that IT security is a necessary cost of modern business. Do you make this expenditure in advance to prevent things happening or do you spend money to fix problems that have occurred? The reality is that retrospectively addressing security will be a much greater cost to the business than doing it upfront. Done in advance a security investment can be seamless, done after the event it is extremely disruptive. However, to garner executive support for being proactive on security CIOs need evidence to impress what these likely costs will be. CIOs are advised to track high profile breaches of IT security and to discuss with the CIOs affected by them what the full costs of these were to their operations.
Executive support vital
The issues raised by the speakers at the security conference were valid and the solutions they proposed should work. Many delegates left the event better equipped to deal with the task of IT security. However, unless we have executive support I suspect many CIOs will still find it frustrating providing this protection. If CIOs can position the task as one that will help executives meet their objectives then they will find the task much more rewarding. They will still need to attend security conferences to keep abreast of new developments in the IT security field. However, when they return to their organizations afterwards they will know that they will have the full support of the executive team in tackling these matters.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.