Risk assessment is vital to security

Computing

reports from the Infosecurity Europe conference.

Written by Emma Nash.

Computing, 08 May 2003

Company board members will only treat IT security seriously if they understand the dangers to their business.

Risk assessment is fundamental to convincing directors that sufficient funds should be attributed to security, according to IT security executives at last week's Infosecurity show in London.

"Directors all support security, but need to be convinced about how much money they should spend," said David Lacey, head of information security and governance at the Royal Mail Group.

Lacey believes businesses need an official risk assessment process, but must not go overboard when spelling out the potential damage.

"Use the fear factor selectively and objectively. Don't cry wolf because the electronic Pearl Harbour is unlikely to happen until 2005 or 2006," he said.

John Sharif Adebayo, director of security risk at investment bank UBS Warburg, advises that IT experts need to avoid jargon.

"You have to speak the language of the board," he said.

"Executives are not always technical. What I say is: 'This is the risk and there is some threat out there and it's going to have an impact on your business. What would you like me to do about this problem?'"

Jill Trebilcock, head of data and information security at the BBC, says justification is the key to selling a project to the board, as it helps explain the benefit to the company.

She suggests using simple questions such as: "Can this solution save money? Can it make money? Will it ensure that our systems are permanently up?"

The security policy is important, but its objectives need to be established first, according to Andrew Yeomans, vice president of global IT security at Dresdner Kleinwort Wasserstein.

"Know what you are trying to protect and what you are responsible for before an IT security policy is drawn up," he said.

Selling security

  • Present the case for security to the board in a non-technical way that directors will understand.
  • Illustrate the risk to the business.
  • Do not be over-dramatic.
  • Explore the commercial possibilities of security - will it save or make money?
  • Establish what needs to be protected before drawing up a security policy.
FURTHER READING
Identifying the security ROI

Protect yourself against the next security threat

Tags:

Further reading

Related articles

Do you agree?

Have your say on this article

Advertisement

Job of the week

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Advertisement

Watch

24 Jul 2008

3.68 MBSpammer jailed, Esquire e-cover, and network passwords More...

23 Jul 2008

2.99 MBSmall time security, official 'spying' requests and a spammer jail break More...

22 Jul 2008

3.22 MBSat-nav crashes, open source security and female gamers More...

Listen to more

Poll

EUROPEAN E-COMMERCE

EUROPEAN E-COMMERCE

Are you happy making an online purchase from another European country?

Previous poll results

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Spotlight

Credit card transaction

Credit card fraud rampant in the UK

Attempted frauds go unreported and ignored, analysts claim   More...

Intel

Intel rolls out new embedded line-up

System-on-a-chip offerings promise footprint and power saving   More...

Advertisement

Network cables

Tech giants collaborate on wireless HD

Another attempt at cable-free transmission in the home   More...

iPhone fever fills AT&T coffers

US provider cashes in on Apple smartphone   More...

Advertisement