With Thomas Cavanagh, senior research associate, The Conference Board. The organization recently did a survey in conjunction with the Department of Homeland Security, "The Conference Board Report Navigating Risk: The Business Case for Security."
Question: What did the study look at?
Cavanagh: We were looking to identify the arguments that register most powerfully with senior management with regard to security. We found that issues of operational risk are the things that they are most responsive to. They are concerned about regularity compliance, business interruption costs and legal liability. They are more aware of the risks and are trying to get on top of the downside possibilities and make sure their business is operating. Secondly, some companies see potential for competitive advantages through security excellence.
Question: So companies can use good security as a marketing asset?
Cavanagh: I think that is absolutely true, particularly companies with global supply chains. A lot of them are running operations and dealing with suppliers in fairly dicey parts of the world. Places like Latin America and Southeast Asia. Even in Europe, you have to be aware of the possibility of terrorism and white-collar crime. You find the companies in critical infrastructure industries are much more attuned to security. Also, something we've seen in all research is that larger companies are much more on top of security than the small companies. I think the resources are an important constraint for smaller companies. There seem to be better returns on scale for larger companies. They tend to spend a smaller percentage of revenues on security. The smaller companies complain more about the cost. They seem to feel the pinch more. [Regulatory requirements have been key drivers.] Sarbanes-Oxley [for instance] has been very powerful. In order to ensure integrity of financial statements they have to be secure.
Question: Is progress miniscule, gradual and incremental or dramatic?
Cavanagh: I think it's incremental. We didn't try to measure security spending in the latest research, but in some previous research we found spending for a typical company increasing a little bit more than the rate of inflation. That's in line with other research. I think one of the most interesting findings was that executives who are most influential are not necessarily the most supportive, and executives who are most supportive are not necessarily the most influential. So security directors have a tough job in terms of lining up support in the company in terms of initiatives. I think a lot of that is the traditional view of security as a cost center that doesn't contribute to the bottom line. I think some companies are beginning to view security as an enabler. It makes it possible to do business in parts of the world that may be too dangerous otherwise. One of the key roles of the security director is to be the chief lobbyist for security in the company. It demands some skill sets that we don't always associate with security managers.This 3 Questions originally appeared in a weekly report from IT Business Edge.