IT security bosses are still finding it hard to explain to the company board why they should invest in security, because many are unable to articulate that it is a business enabler and not another overhead, according to a leading security expert.

This is despite the need for safeguards to comply with regulations, such as Sarbanes Oxley corporate governance laws.

Alastair MacWillson, head of Accenture’s Global Security Practice told IT Week: ‘SOX has done us no favours because people regard compliance as another overhead and security and control is a big feature of that, so it enforces the view it is just another tax on the business,' he said.

MacWillson said many CIOs and CISOs were still making the mistake of talking in terms of technology, rather than business.

Even so, security is a top-five business issue on the boardroom agenda, and number one for action for most CIOs and CISOs, according to a new IDC/Accenture survey.
‘I'm amazed how few [IT managers] can give a concise, clear pitch on the state of security in their organisation,’ said MacWillson. ‘The high-performing companies tend to focus security not under the CIO but maybe [under] the CEO, giving it a platform of significance with sponsorship from the top.'

Security chiefs should emphasise the business benefits of comprehensive security, such as protection for the supply chain to extend the reach of the organisation, or safeguards to allow firms to do online banking, said MacWillson.

'There is still a legacy of residual thinking that security is just about blocking, and is designed [solely] to protect assets, not to do more for the business,' he said. 'But our clients that do security well, whether a coincidence or not, are all high performing.'