If there’s one topic IT types don’t easily tire of it’s security. A rash of virus and worm activity this past summer underscored, yet again, how critical security is to the smooth running of any business.

But architecting a sound security strategy is not as simple as buying an intrusion prevention

system or installing the latest Microsoft patch. Anyone who works in IT security knows that a multi-layered approach — targeting the network, server and desktop — is the only way to go. And even at that, there are no guarantees your organization won’t be hit by malware or a hacker looking for his next conquest.

Why then, is security such a tough sell to the chief financial officer and the other executives who control the corporate purse strings?

There are a couple of reasons that account for management’s reluctance to write this particular cheque. For starters, the security spend is a lot like buying car insurance after you’ve had an accident: You know you need to buy it, but the price always comes as a shock. Typically, only after companies have an “”incident”” is their management interested in talking to the IT department about building a better mouse trap.

There’s also the fact that security is never a done deal. With other technology fixes, the selling cycle is relatively uncomplicated: A business problem is identified, IT comes up with a workable solution and the business clicks along, hopefully better off than before the technology was implemented. But IT security is not like any other tech sell. It’s a problem that requires an ongoing solution, and that means it’s an ever-present line item on the organization’s balance sheet.

This point was driven home recently at a panel discussion on security I moderated at Enterprise Breakaway in Halifax wherein IT professionals expressed their frustrations to a panel of security vendors.

Several audience members challenged the vendors when they said the whole point of security technology — firewalls, anti-virus software, intrusion prevention systems and the like — is to keep the bugs out, but despite all the safeguards, many organizations still ground to a halt when worms and viruses infiltrated information systems this past summer.

“”How do we explain to our CEOs that all the money spent on security couldn’t keep us safe?,”” one attendee inquired.

Adding a chief information security officer to the IT department makes a lot of sense in a world under almost-constant electronic attack. In many large organizations, the responsibility for security often falls to an already overtaxed IT manager. In addition to overseeing an ERP upgrade, implementing a wireless LAN and managing a help desk that receives 50 calls every day, this person is also responsible for securing what is arguably a company’s most important asset: its information.

Given corporate Canada’s reliance on technology, doesn’t it make sense to have a single person or a team of professionals who have been trained in security policies and procedures keeping the bad guys out? Some will argue there’s no money to create such positions, but with threat levels rising every day and the stakes so high, what company can afford not to have a comprehensive security plan?

Share on LinkedIn Share with Google+