It is vital that chief information security officers vastly improve their relationship with their chief executives as budgets tighten and they are expected to do more with less.
That is the message from Khalid Kark, principal analyst at Forrester Research, who said security departments often battled with a “dotted line”, or intermittent, relationship with CEOs that hindered their functionality.
This was a fundamental problem, he said, as security threats worsened and CISOs were required to deliver tough security using recession-bitten budgets. They risked not being able to explain their case and justify the right expenditure, he warned.
Speaking at the Forrester EMEA Security Forum in London, Kark said: “You need to make sure that there’s a proper interaction between information security and the rest of the business.”
“You might even need to create a business liaison role,” he added, so that there is clear communication, and so that IT security and the other departments are working towards the same goals. While this would incur cost, there was “too much to lose” by not getting security right.
It was inevitable that security departments would have to accept a cut in their overall budgets however, Kark said, adding that there remains “a lot of fat to be cut”.
But CISOs needed to make their CEOs aware that they deliver a vital function to the business that could not be recklessly cut, he argued.
“You affect the bottom line of the business, there’s no doubt about it,” he said. “You have to work out how to deal with the economy, how to handle changes in technology, and how to deliver what the business wants. Then you can show the business you’re delivering.”
Chief executives know security is important, he said, and are usually very concerned about protecting customer and corporate data, as well as focusing on business continuity and satisfying regulation. But as budgets flatten – security is now 11 percent of IT expenditure on average – CISOs needed an “action plan” so they fulfilled expectations.
Alongside better communication with CEOs, security departments needed to keep flexibility by not tying themselves into lengthy supplier contracts, he said.
CISOs should also avoid being caught up in security myths, Kark said. These included paranoia over the security of virtualised environments, mobile devices and social networking, which can all be useful to businesses when privacy and security is guarded properly, he said.
“With the recession, it’s tough and a lot of us in security are saying we need to give up. But what we need to do is see the changes and act. We are here to enable the business to make its transformations safely.”