Executive boards have witnessed the brouhaha that has accompanied every latest virus outbreak, and have had their collective minds focused by the slew of compliance legislation hitting the organisation.
But they still expect every penny of security investment to be justified. And there is no short answer to the question of how much time and money should be spent on protecting the corporate IT infrastructure from security threats. "There are very few absolutes in enterprise security," says Richard Hackworth, head of group IT security at financial services giant HSBC.
Some security measures are, by now, mandatory; precautions such as virus checking of emails are standard. But to evaluate what level of extra expenditure is required, beyond this baseline, companies must engage in the nebulous task of estimating risk.
"Businesses must ask themselves: Where are our vulnerable areas, and how much will it hurt if they go wrong?" says Hackworth.
But risk assessments must take careful account of the true nature of the business, avoiding the trap of becoming risk-avoidance strategies, warns Hackworth, otherwise they can undermine the business.
For example, connecting to the Internet exposes organisations to a greater degree of risk. However, before cutting back Internet functionality in the interests of security, says Hackworth, the value it adds to the company must be properly assessed.
"Ask yourself what impact an internet failure would have on customer service, public reputation and market confidence?" he advises. "Customers perceive the business through the Internet, and the quality of a company's IT is associated with its brand," he says.
So while a web site might be expensive to secure, that expense is justified if it adds significant value to the business. Historically, supply chains were relatively easy to control, because all the data was generated within the confines of the corporate firewall.
But as businesses have embraced the concept of extended supply chains, widening their reach to third-party partners, the associated risk has simultaneously increased. "The boundaries of who would be exposed to risk now stretch way beyond our businesses," says Hackworth.
Similarly, when it comes to risk profiling, many organisations overlook management controls, says Hackworth. In fact IT failures can severely compromise management's ability to control – it could even be fatal. "If those systems fail for a week or a month, regaining management control is very important, and can be very difficult," says Hackworth.
These examples illustrate that in calculating the business risk associated with IT infrastructure failures, companies must think beyond the immediate operational costs that might occur and consider less tangible assets such as management control and brand profile.
For this to occur, Hackworth argues, security projects must involve business, compliance and IT staff. "IT risk is a technical topic, but a senior management concern," he says.
Translating IT risk into terms that executive teams can digest has never been easy, says Hackworth, but he recommends drawing comparisons with risks with which they will be more familiar, such as a breakdown in a manufacturing process.
Once the true value of the functions served by the IT infrastructure has been evaluated to the satisfaction of all the relevant stakeholders, the company can identify and cost the options that reduce the risks to these functions to an understood and acceptable level.
And once the risks are both understood and acceptable to all, says Hackworth, the IT security manager has "done his job".