IT security bosses are still finding it hard to explain to the board why they should invest in security, because many are unable to articulate that it is a business enabler and not another overhead, according to a leading security expert.

Alastair MacWillson, head of Accenture’s Global Security Practice told IT Week ahead of his presentation at the Gartner IT Security Summit today that many CIOs and CISOs are still making the mistake of talking in terms of technology, rather than business.

Even so, security is a top-five business issue on the boardroom agenda, and number one for action for most CIOs and CISOs, according to a new IDC/Accenture survey.

"I'm amazed how few [IT managers] can give a concise, clear pitch on the state of security in their organisation," said MacWillson. "The high-performing companies tend to focus security not under the CIO but maybe [under] the CEO, giving it a platform of significance with sponsorship from the top."

Security chiefs should emphasise the business benefits of comprehensive security, such as protection for the supply chain to extend the reach of the organisation, or safeguards to allow firms to do online banking, said MacWillson.

"There is still a legacy of residual thinking that security is just about blocking, and is designed [solely] to protect assets, not to do more for the business," he said. "But our clients that do security well, whether a coincidence or not, are all high performing."

The need for safeguards to comply with regulations, such as the US Sarbanes Oxley (SOX) corporate governance law, is another major reason why security is still seen as a cost centre by many businesses, MacWillson added. "SOX has done us no favours because people regard compliance as another overhead and security and control is a big feature of that, so it enforces the view it is just another tax on the business," he said.

In other news, document security firm Workshare will today publish the results of a survey which found three-quarters of IT security professionals were concerned about malicious exposure of information, but over half said they had no means of enforcing policy in this area.

"Everyone understands the issue but no one is really addressing it," said the firm's executive vice-president in Europe, Andrew Pearson. "And firms have education policies but not high-touch reminder-based methods."

Pearson argued that security chiefs need a user-centric approach to protect documents, and should alert users who contravene policy. The alternative of relying on network-based blocking tools makes it expensive to handle incidents, and may be culturally inappropriate for staff, he added.

"Network blocking tools aren't being taken up by enterprises [because] even if less than one percent of the emails leaving a company are blocked and sent to someone for action, there is a huge management overload," Pearson said.