As CIOs and other IT pros well know, lapses in security pose serious threats to most modern organizations. Companies like Target, Home Depot, the IRS, Anthem, CareFirst—and scores more—have taken huge hits, in terms of reputation, fines and financial losses. Sometimes the CIO is ousted.
But in an era of constrained resources, how can you get your company to focus on doing security right—not just because it’s ethically and legally correct, but because it’s financially sound?
Resolve security problems to compete better
Despite the catastrophic effects of security problems, very few companies can provide evidence that they have addressed key areas of security risk and compliance. Usually, security is thought of as a giant money pit, and it’s easier—until something awful happens, that is—to just hope that your company won’t be next.
Even fewer stop to think that just doing a superior job at addressing security risks can be a competitive advantage for companies that do things right. How can that be? Organizations that reduce security risk are often better run in other ways—because they’ve evaluated their processes and thought through how to improve them. In this light, security and compliance are key aspects of managing a well-run company.
Can your company profit from compliance?
And usually, there is even a way to profit from compliance.
For example, 8×8, the enterprise cloud communications company where I’m CSO, made a conscious decision several years ago to do the work required to thoroughly address key areas of risk and brought in reputable third parties to provide validations. By offering third-party, validated-compliant HIPAA communications services and promoting this as an advantage for our customers, our company has made huge inroads into insurance and healthcare organizations, precisely because for these CIOs, security and HIPAA compliance are the number one priority for buyers of cloud communications.
Financial companies, too, are now turning their security features and processes into marketable services, such as Discover’s “Freeze It” feature, which lets people who have misplaced their cards to freeze it against new transactions and later “unfreeze” it if they find it later.
That’s a feature that requires a lot of behind-the-scenes work to do economically. Discover must be sure that its processes work automatically, seamlessly and above all, reliably. (Security features you can’t rely on, aren’t.)
But now that the company has done the work, Discover can offer a feature that cuts its own risk due to lost cards that people are reluctant to shut down right away. Plus, it gains marketing advantages over other cards that can’t offer that capability.
In my experience working with a wide range of companies, almost every company can find a way to market tighter security and compliance, but each company’s potential is usually a little different. Start thinking now about what your company’s “security and compliance dividend” could be.
How to get upper management buy-in
Security and compliance directives rarely work unless they come from the top, so you have to get upper management to 1) make a commitment and 2) understand that it will take resources, investment and reinforcement of good behavior—and maybe even exposure of bad practices—to make the commitment “stick.”
The key to this is quantifying the negative financial effects of a breach, and the positive effects of being an industry leader in the field, or of providing extra-secure products and services. It is also often helpful to mention that how security is handled is often seen as a critical indicator of whether or not he or she is in charge of a well-run company. What executive wants to argue with that?
Where to start
The biggest challenge is often making the pitch. Schedule a meeting with top decision-makers, and be ready to:
- Summarize key security risks at your company and talk about the potential for losses from such risks. You need not have actually suffered a loss—you can talk about what might happen. You can do cost estimates of incidents arising from similar risky situations, especially if they happened in your industry.
- Discuss the impact, root cause and economic benefit of avoiding incidents.
- Present a short, high-level summary of your plan—basically, a prioritized road map—to raise the level of awareness of security, compliance and their value to the company.
- Discuss reasonable short-term and long-term goals—both for the overall company and on a department-by-department basis. Department directors are usually more willing to support goals that align with the things they’re already being evaluated on.
For instance, an IT goal might be to reduce the number of social engineering attacks, or reduce the number of unsecured desktops at the company. A customer service department might have goals concerning the detection of social engineering attacks by people impersonating legitimate customers. (Incidentally, a good VoIP phone system or contact center software can help to achieve this goal, since they integrate with CRM systems such as NetSuite and Salesforce and match the incoming phone number, automatically “popping” previous contact information to the phone or screen.)
- Talk about quantifiable training objectives. Most security and compliance standards—including Sarbanes-Oxley, HIPAA, and FISMA—have explicit training requirements. Present a roadmap explaining how you propose to get there.
- Paint a picture of what success looks like—and how you might leverage a more secure, compliant company as a business improvement. Could you use improved security in ad campaigns? Could you reduce losses and improve the bottom line?
- Talk about what IT can do to make the change easier. And be ready to train and mentor others in the company and support them in their efforts to run more secure, compliant operations.
You CAN do this
Sometimes it might seem tough to win the fight for security and compliance. But most people who prepare thoroughly—and can talk details about security and compliance’s effect on the bottom line—can get top management’s support. Good luck!