In a world full of acronyms, it is time to coin an important new one: WIIFM. It stands for: “What’s in it for me?” and is the foundation for almost all human activity.

It is no different for board directors and senior managers in organisations across the world ­ when confronted with demands from department and business heads for resources and support, they all ask WIIFM?

The importance of information security traditionally has been defined in operational terms. Senior leadership were told that having an information security programme would fend off hackers, stop viruses, avoid data losses and prevent other dangerous threats. Most organisations saw information security in terms of fear, uncertainly and doubt.

But with ever-increasing regulation focusing on the protection of information, organisations are looking at information security in a different light. There is nothing like the threat of personal penalties associated with non-compliance to focus minds and move issues to the top of the boardroom agenda. IT chiefs too have changed their approach when presenting to the board about the value of their services.

So, today business leaders are more inclined to call in information security professionals at the start of a project rather than at the end through necessity. They are increasingly being invited to talk about strategy and the value of a proactive approach to security ­ including the delivery of efficiencies, cost savings and new business opportunities.

Security strategy is distinguished from IT strategy in that it focuses on processes, people and technology operating in a way that protects information assets. Integrating security into core business operations and making it part of the technology infrastructure ensures that it becomes part of organisational culture.

Communication is key

As reliance on close integration with partners, suppliers and service providers increases, ensuring that this approach is embraced across business sectors and geographies to protect shared assets and interests is even more critical.
Below is a list of pointers for senior IT executives who are still struggling to make security a strategic issue in their organisations.

Use language that business leaders understand ­ do not use jargon when discussing the importance of security.

Speak about enabling their strategy to deliver efficiencies and cost savings or to bring a product or service to market on time and on budget ­ debunk the myth that security is a hindrance.

Talk about enhancing existing processes and technology and minimising costs associated with security technology. That will go down well with the chief finance officer.

Ensure that business leaders understand that security is not a technology issue and that successful protection of information assets depends primarily on people, processes and a firm’s culture.

Communicate and build relationships throughout the organisation at all levels to ensure that security groups hear about projects at the start of the process.

De-mystifying security goes a long way towards moving it from a technical issue to a strategic one that will help rather than hinder business operations. And when all else fails, always remember when talking to senior management that they will be thinking “WIIFM?”

It is up to CIOs to meet the challenge. If they want to add value and shape business strategy and processes, it will involve more than just re-labelling job functions, activities and responsibilities. Skill sets will need to change, as will the way security specialists communicate with their businesses and measure performance. But get it right and everyone will get something out of it.

Simone Seth is a senior research consultant at the Information Security Forum