Do you ever wonder what the heck is wrong with top management? Why don't they see risks associated with IT security breaches? Why don't they help you do something about it?
The U.S. Department of Homeland Security has been asking some of the same questions. So it asked The Conference Board -- the same people who develop the Consumer Confidence Index and Leading Economic Indicators -- to find out. Yesterday, The Conference Board published the results of the study.
Most C-level executives still view security as an operational issue, not a strategic issue, according to "Navigating Risk: The Business Case for Security." The study, which researched the attitudes of some 213 top-level corporate, non-security executives, found that most security organizations are still operating in silos that are far removed from their highest-ranking decision makers.
Despite frequent news about security breaches, most C-level executives report that they still have little direct responsibility for most aspects of security. And the few executives who do understand the issues often do not have the influence needed to do something about it.
"In general, the executives who were most supportive of security were not the most influential, and the most influential executives were not the most supportive," says Thomas Cavanagh, senior research associate at The Conference Board, who authored the report. "A lot of organizations still treat security as an operations issue, on the same level with facilities management, and most C-level executives are mainly focused on more strategic issues."
Such attitudes about security have caused many organizations to distance their security teams from other parts of the business as well. "Security directors appear to be politically isolated within their companies," Cavanagh says. Security pros often do not talk to business managers or other departments, he notes, so they don't have many allies in getting their message across to upper management.
A key problem, Cavanagh says, is most security managers don't know how to map their priorities to business objectives, and most top managers don't understand how security fits into their business objectives.
For example, when asked how well their company's security was aligned with business goals, 79 percent of high-ranking executives said the most effective alignment was in complying with government regulations (79 percent), protecting confidential information (74 percent), and maintaining business continuity (71 percent). Only 44 percent said security enhances the value of the brand, and only 36 percent say it helps in managing the supply chain.
"It indicates that security organizations have made their presence felt in areas like compliance, but they haven't been effective in showing how security can help build a brand by improving customer trust," Cavanagh says. "The supply chain result was a little surprising, when most executives know that their security perimeters are expanding to include partners."
Security managers need to reach out more aggressively to other areas of the business to help them make their case, Cavanagh says. "Risk managers are among the best potential allies," he observes, because they are usually tasked with measuring the financial impact of various threats and correlating them with the likelihood that those threats will happen.
"That can be tricky, because most risk managers come from a financial background, and they don't speak the same language as the security people," Cavanagh notes. "It's also difficult because security presents some unusual risk scenarios. There are some franchise events that could destroy the company's business, but have a very low likelihood of occurrence, so it's very hard to gauge the risk."
Getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort, Cavanagh says. In the study, The Conference Board found that the cost of business interruption was the most helpful metric, cited by almost 64 percent of respondents. That metric was followed by vulnerability assessments (60 percent), benchmarks against industry standards (49 percent), the value of the facilities (43.5 percent), and the level of insurance premiums (39 percent).
Face time is another important way to gain attention in mahogany row, the report says. In industries where there are critical infrastructure issues, such as financial services, about 66 percent of top executives meet at least once a month with their security director, according to the study. That figure dropped to around 44 percent in industries without critical infrastructure issues.
In general, however, security managers are finding that they must build a coalition of supporters within the management team. "Part of the job description of the security director is to serve as a chief lobbyist, rounding up support from other colleagues who may have more leverage in the C-suite," Cavanagh says.
The report is available here. It costs $125 for Conference Board associates; $495 for non-associates.
Tim Wilson, Site Editor, Dark Reading