Why good security makes great business sense

When security breaches do happen, there is no doubt that brand equity and public confidence are eroded, and so getting security policies, technologies and processes right is increasingly being seen as a C-level issue that not only adds brand value but also acts as a key competitive differentiator. CXO asked a number of industry experts to provide their thoughts on some of the key issues.

Bruno Darmon is VP, EMEA Sales at Check Point Software and brings over 20 years of high-tech experience to the company.
Tim Pickard is RSA Security’s Strategic Marketing Director and the company’s key spokesperson for Europe.
Gary Clark is Vice President, EMEA, of encryption specialists SafeNet.
Chris Voice is Chief Technology Officer at Entrust, responsible for shaping technology strategy.
John Brigden is Symantec’s Senior Vice President for EMEA and drives sales, operations and business development.
Edward P. Gibson is the Chief Security Advisor for Microsoft Ltd, in the UK.

CXO. Many C-level executives view security costs as a necessary evil. But in what ways can a first-class approach to security add value to an organisation and increase public confidence in the brand?

GC. Security is simply good business practice, and access control – knowing who is accessing data and when – is now a mandatory part of the electronic age. Over the last five years, security policies and procedures have become a must-have and any organisation without adequate measures in place will not survive. However, the threats constantly evolve and become more sophisticated – meaning policies often become quickly outdated. Organisations cannot afford to be complacent and rely simply on reactive security policies and measures. Pre-empting and prevention (rather than curing issues and compensating customers after a security breach) are the only ways to instil confidence and trust in the brand.

CV. Security is increasingly being viewed by leading organisations as a business enabler. The speed and cost-effectiveness of the internet as a channel are attractive to organisations who increasingly rely on this to deliver goods and services to their customers; however, without confidence that identities and private information is being protected, the potential of the online channel will not be realised. The slowing adoption of applications such as online banking due to high levels of identity fraud already bear witness to this effect. Improving the security will result in more customers adopting the internet with a corresponding business return.

TP. The most progressive organisations strive to achieve multiple business benefits from security investments – from streamlining business processes, to reducing operational costs and enhancing the brand. Taking identity and access management as an example, one of RSA Security’s most forward-thinking customers has implemented a password management solution with the aim of improving user experience and reducing helpdesk costs. They will also benefit from increased security, but this was not their primary driver. Some excellent examples of organisations implementing a security solution in order to build their brand can be found in the financial services sector. For banks in particular, attracting customers from the competition and encouraging them to bank online as opposed to using other channels is key to boosting their bottom line – and security technology allows them to achieve this.

JB. In today’s business climate, security investment should be viewed as an absolute essential, rather than some kind of necessary evil – when security breaches do happen, there is no doubt that brand equity and public confidence are eroded, temporarily or permanently. Ultimately, trust is at the heart of today’s digital economy. If we fail to create trust, it will hurt not just the digital economy but the economy as a whole. If consumers can’t trust businesses to protect their personal information and to secure them from the threats of cybercrime they will simply take their business elsewhere. We have a sixth sense in the physical world – it’s up to businesses to help consumers develop their online sixth sense. Those organisations that are doing this via a robust and comprehensive security policy will take the lead in securing that trust and in turn help their business to prosper.

BD. Brand confidence is built on trust and this is only possible if the consumer – or any stakeholder – feels that they understand the risk involved in dealing with your business. If your customers think you can’t protect their data they will think twice about doing business with you. Protecting data from distortion and tampering is also essential for competitive and legal reasons. Finally, high availability is a must-have in the new 24/7 online world – a company just can’t afford to have its networks or web presence compromised, and risk losing customers or impacting productivity in the process. The challenge for companies is how to create a secure environment that maintains confidentiality, integrity and availability across all distributed business areas and even beyond the boundaries of the company. A unified security architecture is the only way to achieve this goal and its development must be driven by the needs of the business. It is a collective, board-level responsibility and should not be designated solely to the IT department to enforce.

EP. Consumers do not want to worry about internet security, they want it to be transparent. Companies who can provide assurance in areas such as customer and employee information, data retention and distribution, and offer the ability to retrieve information as it was stored, will surely thrive over companies who ‘lose’ customer/employee/intellectual property.

CXO. A recent survey of IT directors in Computer Weekly revealed that most believe current levels of security investment to be inadequate. How can IT professionals persuade those at the board level that they need to invest to head off future problems?

TP. IT professionals need to speak the board’s language if they want to increase security investment. They must build a solid business case and provide as much evidence as possible to highlight the wider business benefits of the increased investment, and also what the consequences could be if funding is not granted. This is no easy task, and companies should lean on security vendors to help gather the facts and data they need to support their argument. Security vendors have a vested interest in increasing spend, and they should be made to work hard for it by demonstrating how their solutions support overall business aims.

CV. The more proposed security investments are tied to business outcomes, the more they will find traction within the business. There are countless examples where organisations have suffered damaging media attention due to security issues and as a result have lost market share and market capitalisation. Very few business leaders, when confronted with the stark reality of the potential of being tomorrow’s newspaper headline, will not carefully examine IT security proposals. At the same time however, it is important that IT security professionals be able to present security investment proposals in the context of risk. It is not only the negative outcome but the potential for that negative outcome to occur that must be accounted for in prioritisation of IT security project funding.

GC. The message must be championed that security needs to be reviewed on a constant and evolving basis, thus ensuring that the solutions deployed are proven and best of breed, robust and scalable, and that ultimately their deployment within the organisation delivers security peace of mind to the business and all its stakeholders. With more and more CIOs and IT directors sitting at the board level, the biggest hurdle has already been overcome; IT is now seen as a business critical department. Investment in security will often be seen as inadequate by the IT team, as these are the people in the firing line of solving issues and who deal daily with the complexity of malicious attacks. However, there are still occasions where senior executives only feel the need to invest in security when the damage to the organisation has already been done. It is a much wiser and more forward-thinking company that puts the appropriate security budget and solutions in place first. This avoids the fallout of a security breach that can damage company reputation, hurt customer confidence and negatively impact revenue figures – especially when a security breach often requires the same level of security investment (if not more) at the end of it.

JB. The more IT professionals understand the financial implications of a security breach, the more the board will listen. The cost to a business of inadequate security investment is high at best and incalculable at worst in terms of damage to reputation, share price and customer retention. Most businesses nowadays rely on intellectual property to make their business work – IP is the lifeblood of today’s organisations in terms of the documents, data and information held at the heart of that business. Loss of that information – temporary or permanent – will cause that business to grind to a halt. IT professionals need only point to examples of organisations such as The Bank of America, LexisNexis and ChoicePoint who have all experienced loss of customer data to hackers. These stories should be enough to illustrate to the board that security attacks are real.

BD. The question must go beyond “are we spending enough money?” to “are we spending money in the right way?” To convince board members to rethink their view of security, they need to be shown a level of effectiveness greater than is shown today. To do this, we must take a step back from reactive thinking (purchasing a new solution for every new threat) to proactive thinking (designing an architecture that can expand to meet new threats). There are two key elements to think about: integration and flexibility. By integration we mean the ability for different applications or functions to work together – such as not requiring an administrator to search for security audit information from multiple interfaces. True integration across the security functions will result in more efficient use of IT resources – and improve security. And flexibility means the ability to adapt to new threats, to new applications – without starting from scratch, but instead leveraging the current solutions.

EP. Regrettably, it is often necessary to emphasise the negative in order to help assure the positive. By this, I mean it is not until decision-makers truly understand and recognise the potential for compromise, loss of data, extortion, blackmail or theft of anything of value because of lack of properly secured hardware and software, that one truly believes. It is the old adage that one in a million people are likely to be struck by lightning – very good odds if you are a gambler, but not good if you are that one in a million.

CXO. Corporate governance and compliance remain very much on the front burner for most senior executives. How are these issues tied up with enterprise security, and what do executives need to be aware of to address the increased threats?

GC. Compliance is the same issue regardless of the legislation or regulation – controlling and reporting on the who, what and when of data access. Policies require knowledge of who accessed what data and when. Furthermore, the organisation must be able to demonstrate they control and monitor that access with a reporting feature. Network access control supported by two-factor authentication with products such as tokens, smart cards or borderless access servers address the ‘who is accessing’ part of compliance. What is accessed, such as actual data, programs and applications, is secured by the protection you put around it; hard drive encryption software will secure sensitive data on laptops and workstations. The final piece to compliance is being able to report on these activities with non-reputable logging. Using a hardware security module with real-time stamping enables companies to report on activities while ensuring the accuracy.

TP. While most laws do not specify the exact technologies needed to achieve compliance, it has become increasingly obvious that identity and access management solutions can provide a strong foundation. Access control, encryption and strong authentication solutions are very useful tools in demonstrating control over access to financial information, for example. Most people would agree that compliance is an extremely costly process – and some companies spend a lot more than they perhaps need to in order to cover every possible eventuality. This issue is exacerbated by the fact that many regulations are non-specific and therefore open to interpretation. The single biggest improvement that should be made would be to add clarification and be more exact about what companies need to do. This is not something that should be done by the IT security industry, but by the administrators of the regulations themselves.

EP. Enterprise security is very much part and parcel of a holistic response to legislation such as Sarbanes-Oxley and Basil II. Corporate governance requires adherence to these and other applicable legislation, and proper management can be attained by including appropriate (security) software programs to facilitate the organisation, storage, retrieval and categorisation of company data.

CV. Senior executives cannot afford not be aware of the increased threats. Given the potential impact to their business and the increasing governance requirements in most jurisdictions, it is critical to show that enterprise security risks have been systematically documented, assessed and appropriately actioned. It is recognised that not every risk can be mitigated but without a process to analysis and address the most severe, the senior executive opens themselves and their organisation to potentially catastrophic damage.

JB. The mitigation of risk and the imperative need for compliance is amongst the issues that are high on the agendas of CEOs and CIOs who have to put theory into practice. The ‘keep me out of jail’ mentality rules, but confusion reigns. We recently conducted some research that revealed almost 50 percent of IT managers across Europe say they are not instructed by anyone about which e-mails to keep and which to delete, yet Sarbanes-Oxley states that you have to keep e-mails for seven years or longer, including spam. It is statistics like this that show the depth of the challenge facing organisations when it comes to governance. Security is crucial to compliance because if you can’t protect the confidentiality and integrity of the data you are holding, your business is unlikely to be deemed compliant with increasingly strict rules. That may one day cost your business dear. Nevertheless, compliance should be seen as an opportunity not a threat. It is about mitigating risk and installing best practice – two things that no business should shy away from.

BD. Security plays a key role in compliance and corporate governance as these issues are forcing companies to focus on protecting the integrity of corporate data and customer information. Today’s business also has to ensure that solid reporting mechanisms are in place to govern good practice and support financial auditing. Companies are taking the changes in business regulation very seriously as the penalties for non-compliance can be very severe. To ensure wise security investments are made, executives must consider solutions that not only provide centralized management capabilities but also provide an integrated framework that covers all areas of a company’s security requirements from web and endpoint security to perimeter and internal protection. This will allow highly secure business frameworks to be enforced and will enable faster and more comprehensive reporting capabilities that can be managed effectively across the company.

CXO. What developments are you currently getting excited about? And what trends will have the biggest impact on your business over the next 12-18 months?

EP. We have seen an exponential increase in the use of the internet to conduct commercial transactions, facilitate virtual communities, encourage education and provide platforms for communication, to name a few. A plethora of data on every conceivable subject, voice over IP, a ‘view’ of the world by persons previously cut off from communications outside of their local tribe or community, and continuing exponential increase in e-commerce will continue for the foreseeable future. However, all computer users, from the home user to the enterprise user, from the local police department to sophisticated intelligence services, must continue to ensure they are taking all appropriate and reasonable steps to stay safe online, to protect personal/customer data, and to get educated prior to engaging tools and technology in their environments.

CV. Even when rationalised, the rollout of IT security can be itself a risk. Historically, solutions were very intensive for both users and administrators at each phase of their lifecycle. Through initial deployment to ongoing maintenance and support, the complexity and effort required by IT personal jeopardised success use of the particular technology. Luckily, much has been done recently to make security much easier. At the initial rollout phase, more and more security can be delivered without touching legacy business applications nor requiring deployment to the user’s workstation. Instead, more and more security is delivered by monitoring and proxying network traffic, which is less invasive and allows these solutions to be readily deployed and maintained. Further, the transparency to both the user and administrator is being increased by making more security actions policy-based, so individuals do not need to specifically decide to secure transaction or data – instead it is done automatically. These factors are key to the successful use of security technologies to mitigate business risk.

GC. Security policy and enforcement is a big trend that we see affecting every business and governing body. The government sector is clearly the leader in initiating and implementing this technology, but the commercial sector can learn and benefit from what has already been done. SafeNet has been working with government agencies for more than two decades, and believe our expertise in this area positions us as a market leader. Another growing trend is the world’s reliance on wireless and mobile communications. We have been jointly developing mobile platform secure solutions for UK government agencies that allow mobile devices to operate in the field securely, and expect this trend and our work in this area to continue in the coming months.

TP. One area to keep an eye on will be enterprise data protection and information lifecycle management. Much of the focus to date has been on protecting data in transit, but comprehensive data protection means providing a robust framework for protecting sensitive data in any place it resides: at the application-level; within databases; in files and operating systems; on laptops and mobile devices; and in storage. One of the main drivers for this requirement is the likelihood of breach notification laws being implemented on a European level, as they already have been in many states in the US. ISPs and telecommunications companies in particular may be required to inform customers of any security breaches that lead to the leakage of personal data. For this reason, we expect demand for information lifecycle management solutions to increase.

JB. Over the next 12-18 months we will see the increasing consumerisation of IT, which can only be a good thing for the world of technology. In the same way that individuals have taken the technologies they started using in the business environment home with them, as more technology is used on a personal level - through PCs, digital photography, online music etc. - business users will come to expect the same quality of service, design, manufacture and accessibility through the business as they receive at home. Every user of technology is a consumer, regardless of the business they are in. As these two worlds merge, we will see a shift from B2C to C2B, which will have ramifications for what people expect from IT in the business world. As this happens the corporate and consumer economies will increasingly converge together which will bring the whole issue of confidence and trust in online business to the forefront once more. Needless to say, there are interesting times ahead.

BD. Our security offerings continue to evolve not only to address the ever-changing threat landscape but also to support the development of new technologies in areas such as VoIP, mobile devices and web applications, and to meet the changing requirements of business. We are constantly looking at new ways of making high-end security capabilities accessible to small and medium-sized enterprise organisations and remote offices. Check Point is continuing to develop the industry’s first unified security architecture to address the issue of security sprawl – the inefficient growth of security that results in increased management costs from the purchase of point security solutions.Unified security architecture provides the foundation for a pan-enterprise security structure that stays secure against new threats with minimal administrator effort, reduces the management operational costs by delivering a unified management system for multiple components, and enhances the ability for executives to get meaningful security reports by enabling a common view for all security information. The growing awareness of security as a strategic agenda point for board-level discussion looks set to continue as companies become more aware of the need to align IT with business and protect their assets against escalating threats. Companies will be able to gain significant value if they view security as an asset.