September 16, 2003

Akhil Bhandari, VP of IT at CCL Industries Inc. in Toronto, has noticed an interesting trend. Lately, members of the executive team have been sending him E-mail about viruses, security breaches, and acts of cyberterrorism they've read about in the news. These executives-including the CFO, COO, and even the CEO-just want to make sure the $1.2 billion contract manufacturer of popular consumer products is adequately protected.

"Security is certainly more of a discussion point among executives these days," Bhandari says. "More than ever, I have to keep our executive team abreast of what's happening out there and what we need to do about it."

Bhandari isn't alone. A recent survey of 815 business-technology and security professionals, jointly conducted by Optimize and InformationWeek, found that senior executives are taking a greater interest in information-security issues and having a stronger say in how security dollars are spent.

Some 46% of respondents said the CEO, president, or managing director sets spending for information security. That's a lower percentage than in previous years, which may be because many companies are setting up committees to help direct security spending. A growing number are also hiring chief security officers who manage the security budget. AOL Time Warner Inc. and Sun Microsystems Inc. are among the high-profile companies that have made chief security officer hires in the past year. According to Meta Group, only about 30% of Fortune 1000 companies have a chief security officer or equivalent, but 95% say they need to hire someone in that role.

High-level input

Not only high-profile news events are capturing executives' attention. The security spotlight is also on a slew of new federal and state regulations-such as the Sarbanes-Oxley Act of 2002, California's Security Breach Notice Law, and the Health Insurance Portability and Accountability Act (HIPAA)-that are dramatically affecting the way companies handle customer information. Executives are becoming more proactive in making sure their companies comply. Moreover, the rise of Web services and business collaboration has generated more vigorous discussion about security and concern about critical data falling into the wrong hands-or worse, being compromised by business partners.

Significantly, more than half of the survey respondents said regulatory requirements are the primary drivers of new investments in information-security products and services. Other reasons cited include potential liability/exposure (70%), potential revenue impact (41%), and partner/vendor requirements (24%).

Bert Reese, VP and CIO of Sentara Healthcare, which operates six hospitals and offers health-care coverage to 300,000 members, says until this year information-security issues failed to reach the executive suite. Senior-level management never gave much thought to issues such as intrusion detection and disaster recovery, he says; they simply entrusted him to take care of those things. But the new HIPAA regulations and other compliance issues suddenly have the corporate suites buzzing with interest.

Gene Fredriksen, VP of information security at financial-services firm Raymond James Financial, believes some of his peers still need to do a better job of marketing their security organizations. For example, they could demonstrate how better security lets the company safely open up some of its systems to customers and business partners over the Internet at a fraction of the cost. In the past, whenever security people needed more money, they would scare the CEO with a litany of horror stories, Fredriksen says. But in lean economic times, that approach won't work. To be successful, security officials must talk the language of business.

"They must identify risk and also quantify the potential damage to the business and propose a budget," he says. And they have to educate senior executives about the latest happenings on the security front.

To that end, Fredriksen publishes a monthly newsletter for board members and executive management. He uses graphics to underscore high-, medium-, and low-level attacks identified by the firm's intrusion-detection system. He also tracks firewall breaches and virus infections. The newsletter contains brief articles on emerging security trends and legislation to keep senior executives abreast of the big stories even before they reach the major newspapers. By keeping his senior executives educated-and hitting them with the right message at the right time-Fredriksen has managed to incrementally raise the security budget in relation to the overall IT budget. This year, the company will spend more than $1 million-almost 5% of the overall IT budget-on security initiatives, putting the company in the top 15% of respondents.

Some companies pay a high price for not adequately investing in security. Survey participants reported that breaches result in compromised information confidentiality (13%), loss or damage to internal records (7%), lost access to customer records (7%), and compromised customer records (5%). However, these are minor when compared with the loss of business applications (49%) and network unavailability (45%). Only a handful of companies admitted to being hard-hit financially by information breaches or espionage. Half of the sites surveyed reported losses less than $100,000. Nearly a third reported no dollar losses attributed to security attacks.

ECMD Inc., a $100 million manufacturer of building components for the housing industry, needs to guard against industrial espionage and protect its systems from potentially malicious or nosy employees. To date, the company hasn't come under serious attack, but hackers have broken into its Web sites and engaged in general vandalism. "We don't keep any sensitive data on our Web sites, so the loss wasn't significant," says VP of IT Steve Brown.

CCL Industries has also come under hacker threats. The company engages in online commerce with business partners and suppliers. To ensure the integrity and security of its mission-critical data, CCL has established a stand-alone collaborative commerce platform that's fed information from CCL's internal ERP and E-commerce systems. As a result, suppliers can log on to the platform, but can't update any records or see anything that CCL doesn't want them to.

Network firewalls and virus-detection software are the tools primarily used to keep systems free of security breaches. Virtual private networks continue to grow in popularity: Fully 71% of sites report using VPNs to protect operations in 2003, compared with 58% in 2002. Private encryption is also gaining.

One big challenge is striking the appropriate balance between the need for security and its cost. Indeed, survey respondents reported that capital expense was one of the most significant barriers to effective security in their companies (44%). Other obstacles include the increasing sophistication of threats (49%), lack of time (37%), lack of qualified staff (31%), and complexity of the technology (24%). Another 24% cited lack of management support, which means that while security is gaining stature in some organizations, it's still an afterthought for many.

Victor Wheatman, managing VP of research firm Gartner Inc., says most companies still don't think about the cost of security before they build or implement new systems. He estimates that adding proper security raises the cost of application development by 30%. "Too many companies rush ahead and forget about security," he says. "And then they get a big surprise after the system is up and running, and they realize they now have to factor in security."

In one case, ECMD's Brown, along with his senior executives, decided to abandon an online initiative with a particular partner because, among other issues, security costs were too high and simply outweighed any potential benefit. "Security absolutely plays a role in determining whether we partner with a certain vendor and whether it's worth the extra cost," he says.

One solution is to outsource information-security services to a third party, much as companies do security guards. But the trend is still in its infancy. Only 17% use outside firms to host security systems. Most want to outsource systems implementation, strategic consulting, integration, and technology transformation.

The onus remains on IT and security professionals to educate upper management and encourage participation in security planning. "If there is no awareness of risk at the executive level," Fredriksen says, "security will not receive the level of funding it deserves."

Tom Stein is a freelance writer.

This article originally appeared in Optimize magazine, September 2003, Issue 23