The effect of finance on organizational security programs

Security Finance & Payback

Security Finance

A strong effective information security program consists of many layers that create a "defense in depth" (Spontak, 2006). The objectives of information security is to make any unauthorized, unwanted access extremely difficult, easily detected, and well documented. Components of strong defense include firewalls, virus filters, intrusion detection, monitoring, and usage policies. Some businesses are missing the business culture, policies and procedures, separation of duties, and security awareness.

The Finance Department is critical to the security of the information system. Financial executives can set the tone, encourage compliance with security policies, and lead by example. Allowing the sharing of passwords puts the information security at risk, especially where financial, employee, and customer information is concerned. When employees are uneducated regarding compliance regulation, the organization can end up in trouble with authorities. Employees should be evaluated on information security measures, not just on customer service measures. Separation of duties creates internal control. Department heads need to communicate with each other on what employees are able to access in the information system. The most challenging part of information security is staff awareness.

The finance department is a major contributor to the success of information security just by the actions and procedures they follow. Ensuring staff awareness of the security policies and procedures, training on compliance regulation, and ensuring that policies are being followed by the CFO as well as other employees adds to the security of the information system. Executives should lead by example as well as take measures to raise employee awareness.

Payback

Return on security investments (ROSI) is popular for measuring the cost-benefit aspect of information security (Gordon, 2002). This concept has led to some confusion and misuse. Confusions with ROSI are whether to use accounting ROI or internal rate of return (IRR), whether to maximize IRR or net present value (NPV), whether IRR and NPV are ex-post or ex-ante, and whether to invest up to the level of expected risk to maximize the net benefits of the investment.