Educating Executives

by Rick Johnson

September 3, 2002 —

Your firm is on the hot track to stardom with an idea that will
revolutionize the world. The company is moving forward with it's
business plan and suddenly someone asks an executive, "Are you secure?"
Well, if you have not already battled through this subject with the
executive team, expect a phone call.

Sure, they understand that security is needed. However, the mental
vision of your average executive sees security as a box to check on a
list and not an in depth ongoing process. Now, I am not belittling the
executive team, they are a vital part of the organization. Remember,
they knew enough to hire you.

Here are examples of the types of questions you are sure to face at some
point in your endeavors. Of course, each answer you give is sure to
spawn even more queries.

Q. What will it take for our company to be 100% secure? (This is one of
those questions that is almost laughable except that it is asked far too
frequently.)

A. Unfortunately, it is impossible to reach a state of 100% security.
There are always the uncontrollable factors such as new vulnerabilities
or disgruntled employees. Realistically, a state of 95% is possible,
however that other 5% is virtually impossible without locking the entire
company in a vault and filling it with cement.

Q. Why do we need a dedicated staff to handle security? Once things are
locked down, they will not have anything to do. (This question shows
someone who does not grasp the concept and importance of a security
department.)

A. This is like saying that once the doctor gives a patient a clean bill
of health, they never need another checkup. That person will still need
to visit multiple types of doctors to keep their body in perfect running
order. Security is the same. You need the staff to handle daily
maintenance of the security systems as well as the response team to deal
with emergencies.

Q. These firewalls and intrusion detection systems are quite expensive.
How do we justify such and expense when it will not generate any
revenue? (This will most likely come from the Chief Financial Officer)

A. While it does not directly generate revenue, security does help keep
revenue from falling. Imagine what would happen if the customer credit
card database was stolen. Once this information hit the news wires how
may of those customers would cancel? Or worse, sue for damages? Lets not
forget fun the sales department will have trying to convince potential
clients that it was an isolated event. Security provides confidence in
the company; you cannot put a price on that.

Ideally, your executive team will have past security experience, but
realistically expect to spend half your time fighting for those
necessities every solid company requires. Of course, isn't that part of
the fun?

ITworld