As an IT security professional, I have been asked the question’ How does security add value to the business?’ many times. In this article I will attempt to answer this question and explain how the concepts can be applied.
But before I do that, I need to discuss what business value is, and how IT provides this business value.
Simply put, business value is making the business go ‘faster, better and cheaper’. In this current economic climate all of these factors are essential to lift the bottom line.
So how can IT help achieve this? Information technology provides an organisation with one of the best opportunities to innovate and enable the business to move forward. An organisation can use IT to help deliver its business plan better than its competitors and satisfy customer demand thus capturing a larger market share. Use of ebusiness is a good example of doing just this.
But how do we go about achieving the results stated above? To start off, we need to understand how IT can help the business achieve its goals. It is a matter of aligning IT’s direction with that of the business so that IT is allowing the achievement of the organisation’s business goals. This would typically be achieved through a strategic planning process and be captured in an IS Strategic Plan (ISSP). The focus of this phase is 80% business and 20% IT.
We then need to implement this plan. The outputs and deliverables here would typically be an IS Roadmap that would capture the applications required to deliver on the ISSP and an Enterprise Architecture (EA) that would host these applications. The implementation of this would typically happen as a tactical task designed to deliver the ISSP talked about above. The focus of this phase is 50% business and 50% IT as we see the business directives outlined in the ISSP being delivered.
Once the relevant technology is in place, we enter the ‘Run’ phase of the spectrum. Here the focus is on running and maintaining the environment delivered to optimize key business systems and the key deliverable here would be a complete IS Operations Manual. This is typically the Operational phase and is 20% business and 80% IT.
Since the business is forever changing each phase loops back to the previous to the start to capture new business directives and remedy any issues picked up in the existing environment.
The above is illustrated in the diagram below:
So now you are asking – ‘What has any of this got to do with IT risk management and security’? Simply put, the use of new technology always introduces risks to an organisation. We are all familiar with the phrase ‘bleeding edge’! IT risk management and security allows the management of this risk so that an organisation can utilise new technology without being exposed to undue risk. It allows an organisation to go ‘faster, better and cheaper’ without making such grave mistakes that the benefits become smaller than the risks and losses. To use an old adage, IT security / risk management are like the brakes in a car. Whist people think that brakes are there to slow you down; they are in fact there to allow you to go faster, safely.
So how could the above be applied within an organisation? IT risk management and security should be part of the very fabric of any organisation regardless of size. This should be built into an organisation’s ISSP so that it is a strategic initiative, in its IS Roadmap and EA so that it is delivered appropriately and part of its operating environment so that it is in place and utilised day-to-day. It should be an integral part of an organisation’s Systems Development Lifecycle (SDLC) so that all business critical applications are delivered secure from day one and as such do not expose the organisation to undue risk.
So how can we positively measure the benefit of managing IT security risks? Risks can be measured quantitatively and qualitatively and depending on the size of your organisation either or both may be applicable. However, measuring just risk in isolation makes it very difficult to determine ROI. To justify the security spend, you will need to look at the bigger picture and understand the business benefits that would be lost if you cannot deliver the entire solution (securely). For example, an ecommerce gateway has obvious business benefits, but you cannot deliver the solution without security being built into it.
I have seen a lot of organisations spend money on IT security / risk management for the sake of meeting compliance requirements or ‘ticking a box’. Whilst this can have short term gains in terms of avoiding compliance related penalties (e.g. PCI DSS) many compliance initiatives do not focus on delivering business benefits and as such do not deliver business value. Remember, it is not ‘security for compliance’, but ‘compliance as part of security’ that will deliver real business benefits and allow an organisation to exploit technology to enable its business.
To sum it all up, technology provides an organisation with one of the best opportunities to innovate and allow it to go ‘faster, better and cheaper’. IT security / risk management allows it to get there without too many speed bumps!