Security chiefs fail to justify regulation spending
Sarbanes-Oxley adds to regulation burden
IT security bosses are still finding it hard to explain to the company board
why they should invest in security, because many are unable to articulate that
it is a business enabler and not another overhead, according to a leading
security expert.
This is despite the need for safeguards to comply with regulations, such as
Sarbanes Oxley corporate governance laws.
Alastair MacWillson, head of Accenture’s Global Security Practice told
IT Week: ‘SOX has done us no favours because people regard compliance
as another overhead and security and control is a big feature of that, so it
enforces the view it is just another tax on the business,’ he said.
MacWillson said many CIOs and CISOs were still making the mistake of talking
in terms of technology, rather than business.
Even so, security is a top-five business issue on the boardroom agenda, and
number one for action for most CIOs and CISOs, according to a new IDC/Accenture
survey.
‘I’m amazed how few [IT managers] can give a concise, clear pitch on the state
of security in their organisation,’ said MacWillson. ‘The high-performing
companies tend to focus security not under the CIO but maybe [under] the CEO,
giving it a platform of significance with sponsorship from the top.’
Security chiefs should emphasise the business benefits of comprehensive
security, such as protection for the supply chain to extend the reach of the
organisation, or safeguards to allow firms to do online banking, said
MacWillson.
‘There is still a legacy of residual thinking that security is just about
blocking, and is designed [solely] to protect assets, not to do more for the
business,’ he said. ‘But our clients that do security well, whether a
coincidence or not, are all high performing.’