Avijit Gupta

BANGALORE, INDIA: Ms. Agarwal, the Information Technology Manager at Bluechip Ltd. is very concerned person these days. Her Company has recently launched new range of products and services and is exploring various channels to position and market them. Mr. Agarwal has recently learnt from Mr. Reddy, VP Marketing that one option that they are almost certain to go for is revamping the existing “not so known” company website into an active business portal, where customers would not only have the option to view the product range, but also package them as per their choice and place orders directly !

The moment Ms. Agarwal learnt that, she has been wondering that given the new business requirements, not only she will have to come out with a strategy to upgrade integrate the existing business applications, but also develop a plan which will consider risks relating to data security. But that’s not what she is concerned about. Ms. Agarwal knows that as IT Manager, her real challenge would be to convince the management to approve the budget for IT security.

Many of today’s IT Managers, Chief Information Security officers (CISO) or anyone who is responsible for information security and data privacy, find themselves in similar situation. They understand the realities of conducting business today, in an environment where information technology components are often not integrated. With increasing sophistication and proliferation of attacks and ever shifting focus of the threats to the next weakest link, that is people and applications, the rise of financially rewarding attacks will continue. Technical environments will continue to become more complex, as we have seen in the example above, and proliferation of the new and extended enterprise applications will raise new security & data privacy concerns.

These challenges are predominantly organizational and cultural. Most enterprises have invested in and developed security programs, often as one time exercise after a major information technology solution implementation. However, such initiatives over a period of time have not kept pace with the growing business requirements. Reasons of failure could be many, lack of business or executive buy in, disconnect between enterprise and business Unit goals, low prioritization of security as compared to business initiatives, lack of appreciation for the importance of security, mostly technically led, IT-based security projects and one can go on and on. However, one most important reason which perhaps leads to many of the above causes is inability to establish the business value or ROI of information security, and that’s where Ms. Agarwal’s real concern is.

Having said that, it is also true that “buy in” for information technology is not easy. Business value could relate to different set of priorities. For instance, is it protecting reputation and brand, reducing cost of regulatory compliance, protection of existing revenue streams and help generate new ones, ensuring business functions even during adverse conditions and so on and so forth. According to Gartner, about 60% of organizations primarily value information security as cost of doing business, about 40 pc see it as an insurance policy against hacks, breeches or regulatory fines and only about 12 pc consider it as ROI. Information security is generally viewed as somewhat effective in meeting the needs and expectations of an organization across all industries.