X

ROI: Risk of incarceration?

It's hard to prove monetary return of investments in security, but execs understand the risk of not complying with regulations.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
WASHINGTON--Regulations like Sarbanes Oxley have morphed ROI from "return on investment" to "risk of incarceration" for senior executives, according to a panel of security executives speaking at a conference here.

Proving monetary return for security spending is a challenge. However, when senior executives know they risk liability if they don't comply with regulations, they will be quicker to approve spending, said the panelists addressing the Computer Security Institute's annual conference on Monday.

Digital agenda

"The executives realize that if they don't get their act cleaned up, they go to jail," said Bill Hancock, a vice president and chief security officer at Savvis Communications.

Sarbanes Oxley, in particular, has been important for Hancock, he said. In other organizations, regulatory requirements such as the Health Insurance Portability and Accountability Act, or HIPAA, are important. Noncompliance could mean jail time or fines for executives or the business, the panelists noted.

"Selling security is not that difficult for me, but compliance does make it a bit easier," said Terri Curran, director of information technology at Bose, a sound equipment manufacturer.

Jane Scott Norris, chief information security officer at the U.S. Department of State, agreed. "Spend some time reading all those boring laws. Increasingly it is important in our field," she advised the audience of security professionals.

To do the job well, information security executives have to be experts in risk management, said Jack Jones, chief information security officer at Nationwide Mutual Insurance Company of Columbus, Ohio.

"Perfect security is unachievable, what we're really trying to do is manage the frequency and magnitude of loss," Jones said. "We tend to only be experts at security, not at risk management, and I consider that to be significant problem for us."

To become better at risk management, security executives should connect with the business people in their organizations, Jones said. Other panelists chimed in, saying that security executives don't need to be technology experts. They could have a business background instead.

The experience in talking to management is critical anyway, to make the security pitch.

"I can go from being extremely geeky and turn right around and give a management pitch seconds later," Hancock said. "It makes your troops want to follow you. To do the job of CSO, you probably don't have to be as technical, but it is important to be technical at the same time."

One critique of the regulatory-compliance focus is that organizations now work to become auditable, instead of more secure, said an audience member who did not identify himself.

Said Jones, "That comes back to risk management."

Curran noted a balance needed between compliance and security, and that security executives have to find that balance: "I haven't found the balance yet, if I do, I'll write a book."