Justifying Security to Management

Justifying Security in the Business World Today

Having a good security policy, from screening prospective employees to protecting vital corporate data, can be costly for a company. But good security acts like an insurance policy. Ideally, a company does not want to have to use the full capacities of its security system. But if a security system is not present, then complications, when they do arise, can be disastrous to the immediate health and welfare of employees and the long-term future of the company. Thus, security personnel who are selling security systems, devices, technology, or services to a company often find themselves in the unenviable position of a life insurance salesman or woman -- they have to convince a company that the initial cost is justified, because of the risks that lie ahead if the investment is not made in the here and now, and they have to bring up the difficult and thorny issues of possible losses if the systems are not implemented.

How Security Systems are Effective in Generating Profits

Security investments may seem like costs initially, rather than areas of profits because the benefits of security are not immediately tangible, or calculable. But individuals are more willing to invest in companies that have secure systems in terms of auditing and information protection. A consumer is more likely to make use of a credit card from a company with a documented security policy. An employee is more likely to stay at a company where he or she feels safe and secure, working late at night. Investors are more likely to part with their immediate cash, if they feel standard procedures in accounting are openly obeyed, when the company is calculating how the corporate finances are allocated.

Preventing Losses

Another way to justify the costs of security to management is loss prevention or mitigation and what is also called 'risk management.' In planning for the unexpected, companies have to weigh the risk vs. The cost of a contingency plan. When marketing security, the speaker must communicate a clear business case for investments in security, present the strategy in cost-effective language and layperson's terms. (Flynn, 2005) Robert Austin (2005) suggests putting high-tech language in this simple financial scenario on a personal level: if you knew "affordable lock technologies that provide better protection were available" for your home, and neighbors were being burgled in your area, would you consider it a savings not to make such an investment? Of course not, although a surprisingly large number of companies don't think the security of their IT infrastructure is all that important, as evidenced by the "48% of companies stringently control the applications that are installed on corporate computers." (Austin, 2005)

Austin states that such this kind of sloppiness in security "should be no more acceptable to responsible companies than is sloppiness in tracking inventory or cash in a company's bank account. When we stop thinking about information security as an esoteric problem and start thinking about it as an operational challenge that responsible companies must manage, we'll approach the right level of awareness. Unfortunately, according to the survey results, only a subset of companies are recognizing this" problem. If company or customer data is lost, then customers and revenue will be lost. The company itself can lose face, reputation, and revenue as a result of a security violation of its information database or because of injuries incurred by its employees during a natural or human-created disaster. (Austin, 2005)

Another way to suggest the importance of security is to phrase the company's policy in terms of risk management. When security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses, they can document the total losses per day that the company would face if the security system was not capable of quick recovery. By putting losses in day-by-day terms, the management staff will become more immediately motivated to review business continuance and disaster recovery plans. "Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking," just as if one was making a risky investment that one needed an appropriate fall back strategy for, if the financial risk failed. ("The ABCs of Business Continuity and Disaster Recovery Planning." 2005)

Protecting the Company Reputation