Is it IT’s job to convince their execs to prioritize data security?
A recent blog post in Tech Republic cites an enlightening Ponemon Institute report about the effectiveness of security metrics. As it turns out, great security metrics typically don’t drive companies to enhance security. Why?
It’s no surprise that IT people either feel their C-suite executives can’t understand their technical information, or that the execs don’t want to listen and they allow other issues to take priority. While security metrics have been improving by leaps and bounds, the ability to communicate the urgency of such information by IT professionals has not. That chasm has led to the reluctance of upper management to spend corporate resources on data security.
Security metrics and plain English
The upshot of the Ponemon Institute report is that great security metrics don’t matter if IT professionals can’t turn them into a case for improved security. That means using more than numbers: It means case studies, recent news reports, and even quantifying the public relations cost of an embarrassing data breach. Shortly after security metrics became popular and IT departments could produce reports showing security goals and progress toward them, data breaches decreased. But then they began to creep up again, according to the report. Experts hypothesize initial excitement wore off and required spending failed to follow recommendations because data security is a less exciting topic than branding or product evolution. Would it be nice if the CEO were just as interested in the security metrics report as in the latest sales figures? Sure. But it’s the job of IT to make a compelling case for executives to pay attention.
Problems and Solutions
A great tactic is to present case studies of data breaches at comparable companies, estimate or cite the cost of those security breaches, and propose real solutions. A great solution to the problem of loose media containing confidential data is onsite data destruction. Onsite data destruction means hard drives, flash drives, disks, smart phones and backup drives never leave protected areas of your IT department until they are wiped clean. It’s a cost-effective solution that helps your company comply with federal regulations surrounding data privacy, such as HIPAA, Gramm Leach Bliley, and Sarbanes-Oxley. And that is music to a CEO’s ears.