Microsoft Canada’s chief security advisor preaches ROI

TORONTO — Embedding and automating risk practices  into the business may change the perception that these controls are impediments to business, Microsoft Canada’s new chief security advisor told the InfoSecurity Canada conference Wednesday.

Actually, the hope and expectation of top-level executives is to embed Sarbanes-Oxley (SOX) practices and other such controls into the business in order to reap a significant return on investment, said Mary Kirwan, a former security consultant who recently joined Mississauga, Ont.-based Microsoft Canada.

“Security is perceived as a fortress, as an impediment to doing business,” she said, adding that organizations can then free up time to focus on other matters.

Organizations tend to view security as a roadblock to business because “it’s not necessarily a revenue driver,” said Darin Stahl, lead analyst with London, Ont.-based Info-Tech Research Group.

Generally, he added, investment in security is presented, from IT or security, as “something that must be done, otherwise bad things will happen.”

But IT has a role to play, said Kirwan, because by improving corporate data handling practices and driving efficiency through such automated controls, IT will become a business enabler as opposed to just a provider of technical support.

It’s no longer acceptable, she said, for CIOs to “put out fires and do run of the mill stuff” – instead they need to get more value out of their IT assets.

With ever-evolving technology and tools, said Kirwan, “we’ve got to use these assets strategically. My hope is, over time, management will go back to basics and see IT as something that adds a great deal of value.”

Stahl agrees that this is the intended goal, however, in mid to large-sized companies, the security team is often situated outside the IT department. “That organization—in terms of staffing, focused responsibilities and lines of reporting—is probably the largest contributor to this issue.”

In attempting to streamline processes, said Kirwan, an organization should recognize they can’t fix all problems, and should really focus their expenditures and attention on high-risk areas.

In addition, they should create “a framework of controls”, so that new legislation can be easily mapped to the existing structure.

Dahl said there exists software that allows more automation and process focus across what has traditionally been discrete points.

He notes that although IT may operate security solutions within an organization, performing risk mitigation – setting and enforcing policies – belongs to the business owners.

Comment: [email protected]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs