»  Search

Despite the substantial amount of media and industry attention given to the dangers of viruses and data loss, security spending among Canadian small and medium-sized businesses (SMBs) is at a surprisingly low level. A recent report by Symantec Corp. revealed that 68 percent of companies were spending less than 10 percent of their overall IT budget on security, even though data protection and unauthorised access were named the top concerns for IT managers.

So why is IT security all talk and no action with these businesses? According to Michael Murphy, vice-president and general manager for Symantec Corp. Canada, many SMBs believe that adequate security spending is a "huge cost burden" with no quantifiable benefits.

While it’s indeed difficult to demonstrate return on investment (ROI) from security solutions, it’s fairly simple to quantify the loss when sensitive customer data is compromised or a hacker takes your entire system down. But how can IT professionals justify the expense of security without having to experience a disaster?

The key is to document what kinds of security challenges you face, what your existing preventative measures already accomplish, and the impact all this has on the organisation. In short, you need business metrics that demonstrate how vulnerable your business is without proper security protection.

Here’s how to make those metrics accessible to senior management and auditors.

Although it’s important to report the basics, like the number and types of attacks you’ve experienced and how you stopped them, you need to go a bit further to help management see the big picture.

Executives don’t necessarily care about the number of vulnerabilities you’ve patched or the amount of spam you’ve blocked; what they want to know is how these actions have benefited the organisation. And to do that, it’s perfectly reasonable to use qualitative rather than quantitative data.

So instead of simply providing status reports, describe the business impact of your security measures; and instead of providing operational metrics, give business-centric metrics. If the company goal is to increase customer satisfaction, show how security measures that protect sensitive customer data from unauthorised access are crucial; or how optimal uptime on your customer-facing website requires defending against denial-of-service attacks.

Your reporting should provide a clear, direct link to business goals and objectives, making it easy for management and company owners to see the context of the reports and understand their value.

Although they can create a lot of hassle and extra work for you as an IT professional, security auditors can also be your ally. Independent assessments are an opportunity for IT staff to prove their credibility and for management to see that the organisation is on the right track.

To accomplish this, you’ll need to demonstrate the security solutions and procedures you have in place, and prove that they are operational. So you should provide different audit-centric reports (all leveraging the same data) that show security architecture and security policies deployed on network devices and servers, followed by log-based data to demonstrate that those policies are in place and functioning effectively.

You’ll also probably want to produce reports about things like antivirus protection and patches, which provide more proof that you are enforcing your policies.

IT professionals need to deal with potential threats as well as present a case for protecting against them, and to do that you need to have information about what’s going on in your environment. With proper reporting strategies, you can both substantiate the effectiveness of your security measures and demonstrate how crucial they are to continued business success.

For more information on security solutions for your business, visit HP Computer, Data and Network security solutions for HP Small and Medium Business.