Inforrmation security doesn’t count

Boardrooms are full of people who understand numbers, and businesses are run by numbers. The questions that independent directors are really interested in asking the executives are usually: “how are the numbers looking?” The executives have a series of questions they ask senior people inside their organization. things like: “What’s our sales conversion rate looking like?” and “Are we on track to hit that cost-reduction target?” or “Why has the component failure rate crept up over 1.3%?” And, because all these measurements are important, people have answers; they also know that things that are not measured aren’t as important.

So, how do we get information security to matter in the board room? We try and frighten the directors, is usually how. Now, there’s nothing wrong with fear as a motivator (and we all know that there’s a lot to fear, whether it’s external threats or compliance requirements) but if information security is ever to have long term importance in the board room, it’s got to be something that has a set of meaningful numbers attached to it. And that’s hard, because not only is there no standard methodology, there aren’t even any commonly accepted methods of costing even the most common incidents, threats or solutions.

And this is not surprising. In an environment where fear is the driver, then most organizations will seize on any data they can use to support their pitch; for instance, the claim that spam is currently 80% of all e-mail and is growing at 20% per year is a pretty useless statistic – what will our e-mail system look like in three years time? And what does it matter if you have a properly configured spam filter? What is the real cost of filtering out spam? And does it matter more or less than the 100,000 viruses in the wild? What is the real cost of leaked information and what is the real incidence of this type of espionage? How many intrusions of what sort were blocked last week with what sort of benefit to the business? What metrics should be used to assess the deployment of an information security solution? Does anyone know the answers?

Until the information security industry can produce coherent, meaningful answers to these questions, CIOs, CSOs and CTOs will struggle to communicate meaningfully with their colleagues and businesses will struggle to really get to grips with the issues.