Network security risk is business risk. As an I.T. professional you’re responsible for keeping a business and its customers secure—it’s your job—but management simply isn’t willing to commit to providing adequate funding. Getting management to understand why they need to be bothered and why they need to provide budget can be difficult but it is part of your job. An IT professional who is responsible for securing an organisations network, must fine ways to communicate to management just how vital security is. You’d think that after Target and Home Depot everyone would be very security conscious, but security too often is still a back-burner issue.
Over 50% of IT professionals feel their company’s security measures were inadequate
If it’s any consolation, you aren’t alone. A survey conducted by Ponemon Institute last year indicated that there was a big communication gap between management and IT on the topic of cyber security. More than half of the 5000 IT professionals surveyed said their company’s security measures were inadequate. They felt upper management simply didn’t understand how important network security measures were. But it’s hard to assign blame. Another study conducted in 2013 found that 64% of IT professionals don’t communicate the risks with senior management adequately or only discuss risks when a security breach is found. Almost half of respondents said that the communication between management and IT security was “poor, nonexistent or adversarial”.
There's a competitive advantage in having an IT department synergized with its' business needs!
The money companies do spend on security is often misaligned with their needs. Few companies conduct audits to identify security risks, and only 11% of the typical security budget is spent protecting the application layer, though 37% of businesses feel it’s the most important security risk. Dr. Larry Ponemon, chairman of the Ponemon Institute, says, “Unfortunately, the misalignment of perceived risk and security spending coupled with the minimal use of security audits means that many organizations don’t have the information they need to improve security risks.”
The consequences of inadequate security are huge. Some estimates put the cost of the Target data breach at $1 billion. Companies tend to be so focused on products that they’re reluctant to make the investment in security, but studies show that costs are actually higher for companies that don’t implement adequate security measures. The same Ponemon study showed that companies using security intelligence technologies are more efficient in detecting and containing cyber attacks. ‘As a result, these companies enjoyed an average cost savings of $1.6 million when compared to companies not deploying security intelligence technologies.”
There are many security vendors providing cost-effective and accurate solutions, allowing SMEs to protect themselves against vulnerabilities. It’s up to businesses to implement these solutions to ensure security is an integrated part of everything not an afterthought.
Security risk is business risk and needs to be discussed within that context
All too often small- to medium-sized enterprises are destroyed by a network security breach. The costs of the breach, the loss of consumer confidence— these can take an enormous toll on a company. IT professionals must find ways to communicate to management just how vital security is.
Security risk is business risk and needs to be discussed within that context
- financial
- operational
- reputation
Security's role is to help the risk owner understand credible risk and make informed decisions to mitigate, control or accept residual risk. IT Professionals need to develop an appreciation for the business drivers that pay for all these expensive tools. Imagine the competitive advantage an organization would gain having an IT department synergized with its' business needs!