Security seems like a no-brainer when it comes to getting the rubber stamp of budget approval from business execs. With the Sarbanes-Oxley (SOX) and Health Insurance Portability and Accountability acts, and other compliance regulations, CEOs have been fed a daily diet of compliance and security breach news, as well as advice and horror stories. Executives know that losing data goes well beyond upset customers and embarrassment; it can land them in jail.
But, for IT execs, these dangers combine to make senior management more open to security initiatives. "The media has done a great job with the scare-tactic thing, violently displaying all the compromises to privacy and making sure that CEOs understand the consequences of not complying," said William L. Bell, director of security at CWIE Holding Co. in Tempe, Ariz., and Web hosting firm Cavecreek LLC.
"Nobody likes to have their name in the paper" when there's a security problem, added Stephen Fried, vice president of information security and privacy at Metavante Corp., a banking and payments services company based in Milwaukee. "Then you add things like potential jail time for violation of certain regulations and laws, and that has the effect of getting management's attention on security issues."
While today's data breach spotlight has made senior executives more receptive to security initiatives, it doesn't mean freeing money for security projects is easy. Security remains a tough internal sell, and CIOs must reach out to business managers to ensure that security is a priority in every technology project.
The SMB challenge
Security can be a particular challenge for growing companies with limited security resources. Smaller companies face increasing regulatory scrutiny as they transition to publicly held entities. And they may now have larger trading partners and customers with greater due diligence demands.
"There are a lot of regulatory things coming down the pike. The biggest problem for most midrange organizations is keeping up," said Tim Mathews, director of risk management and corporate security for the Educational Testing Service in Princeton, N.J. "The technical part of it is pretty much best practice. The biggest challenge is the myriad contractual obligations and regulatory requirements."
So how do CIOs get the message across to management? CIOs can play up the fear factor in a way that business execs understand. Fried said CIOs must stop proposing security purchases as simply a good thing to do and present initiatives as part of the company's overall product set. "You have to tie your proposal back to what is in the best interest of the organization, whether [it's] retaining customers to making or losing money to keeping folks out of trouble with the law," he said.
"Talk in terms of things they understand," said Scott Megill, enterprise architect and program manager at Philadelphia-based chemicals manufacturer Rohm and Haas Co. Megill implemented single sign-on and identity management programs that include the Passlogix module in Tivoli's security suite.
Megill first approached executives about the project by emphasizing data and access management and intellectual property protection. Their eyes glazed over. And so Megill turned the conversation to single sign-on. As soon as he said the project could eliminate the need for executives to keep 15 usernames and passwords, "their ears perked up," he said. "Then we could start to roll in those other things."
The numbers game
Other CIOs use numbers to make the pitch. CIO Paul Valle of Papa Gino's Inc., a Dedham, Mass.-based chain of 400 pizza shops, saw a potential 3-to-1 return on investment in a security project. Employees were taking security into their own hands by encrypting files like spreadsheets. Problems arose when employees forgot passwords or left the company. Papa Gino's had to re-create some documents from scratch because IT couldn't break through the encryption.
Chris Cahalin, a network manager, learned that the Dell PCs at Papa Gino's, as well as PCs from other suppliers, are equipped with the Trusted Platform Module (TPM). The module can generate secure encryption keys and restrict user-generated keys. TPM could put the keys back in IT's hands.
And so Papa Gino's enabled TPM and brought in Wave Systems Corp.' s Embassy Trust Suite software to manage TPM for the company's 1,700 desktops and notebooks. So far the total cost is $6,900; the estimated savings is $22,000. "Take just the savings in support costs, things like resetting passwords," Cahalin said. "Those calls disappeared because people didn't have to call the help desk anymore."
These kinds of projects help IT build credibility. "Until recently, the CEO and CFO typically were the most difficult people to get support from," Valle said. "Now IT is becoming more of a partner in helping a company succeed."
Last year, Bell needed management buy-in for a project designed to limit users' ability to install applications and thus reduce help desk tickets by eliminating spyware and malware. To sell management on the idea, Bell established a test program in the call center. And he ensured support by talking with business people in their own language.
"You have to know the business value of certain assets," Bell said. "Let's say you have gone to the CFO and said, 'What data do you have that you would absolutely 100% hate to have someone else get?' Then you come back to them and say, 'Here's how I can improve protection of these assets.'" Bell's project got the green light, and CWIE deployed SecureWave on 320 systems at a cost of $25-$50 a system. The payback: an 80% decrease in the number of PC replacements in the call center and a decrease in help desk tickets.
Business execs, said Barbara Anson, director of IT security at Baptist Memorial Health Care Corp. in Memphis, "don't need to know all the technical aspects" of a security initiative. "They need to know what the technology means and how it can affect their job either adversely or not."
James Connolly is a contributing technology writer based in Norwood, Mass.