"Experience shows that information security departments have always been viewed as departments that impose more rules, more password restrictions, more limitations on access, more barriers and firewalls – the security teams are effectively seen as teams comprised of individuals with a ‘badge, gun and guard-dog' attitude," continued Mayisela.
"However, executive management is not primarily concerned with how well the security solutions protect sensitive information. Rather, executive management is concerned with the benefits gained from investing in security solutions and how this investment influences the organisation's net earnings per share," he continued.
Executive management needs to know if the investment on security solutions is financially vindicated and if it would render the business secure, he added. "Additionally, they need to know how much the lack of security is costing the business, how much value greater security adds to business, or how much more a secure company is worth compared to an insecure one."The challenge faced by executive management was to define an absolute metric to be used to qualify the business as secure, Mayisela elaborated.
"The terms ‘secure' and ‘insecure' can be perceived differently by different individuals. In our experience, security discussions do not form part of an agenda for executive management board meetings unless if there has been a security incident that has a significant business impact such as fraud, violation to a statutory requirement, leakage of sensitive information such as company's intellectual properties, trade secrets, or information about mergers and acquisitions.
"This flawed thought process, it should be noted, affects executive management decisions in a various ways; 1) Management not being able to place a financial value on security; or 2) Management not realising their return on the investments they have put on information security," he concluded.
Mayisela will be chairing ITWeb's Governance, Risk and Compliance Summit 2016 in February at Summer Place, Hyde Park in Johannesburg.
Our comments policy does not allow anonymous postings. Read the policy here