How to build the business case for security
Chief information security officers must learn to build a business case for security.While many organisations remain unsure about the business benefits of security investments, security can be a business enabler, according Jo Stewart-Rattray, director of Information Security & IT Assurance at Australia’s BRM Advisory.
“Security is an enabler when we learn to listen to our colleagues in the business and determine their needs and how we can assist to ensure that we secure those transactions, applications or systems appropriately,” says Stewart-Rattray.
Stewart-Rattray will be presenting an international keynote on 'Security as a business enabler: making the business case for security’, at the ITWeb Security Summit 2020, to be held as a virtual event from 25 to 28 August.
“By collaborating across the business, we get buy-in and colleagues recognise that we are there to enable them and their activities. They’ll be more likely to listen to us when we do warn against particular practices,” she says.
A false sense of security
Speaking of where organisations are failing when it comes to making the business case for security, Steward-Rattray says they often make the mistake of thinking that an attack will not happen to them; they feel a false sense of security in that they believe they have nothing that anyone else would want.
“This false sense of security is a real problem as it leads to lack of funding and resourcing for security,” she says.
To build a solid business case for security, the issues need to be addressed, she adds.
According to Gartner, the spend on cyber security should be between 6% and 10% of total IT spend, but this is rarely the case. A recent global survey from ISACA stated that successful organisations are those with appropriate security staffing and are in the best position to deal with an attack when it happens, Steward-Rattray says.
“In addition, an organisation with good security governance as well as a practical and appropriate approach to security operations has a competitive advantage in the marketplace.”
During her presentation, Steward-Rattray will delve into what it takes to build the business case for security, and will introduce delegates to a model that she has been successfully using to inform her practice, which helps them to focus on both internal and external issues that affect the security posture of their organisation.
“They can also expect that this presentation will be from CISO’s perspective – warts and all,” she ends.