Security is a business decision

It's time to stand up tall and look the threat of security violations straight in the eye. It's also time to recognize that it will cost you eight percent of your IT budget to insulate your system from hack attacks. Get used to it now because failing to do so could cost you much more later. "Security can be a valued business component. It can help the business grow, and it can become a competitive edge," said Roland Cloutier, chief security officer of EMC's global security organization. Rather than defining security in terms of defending software systems, think of it as protecting the business, he says.

Not only that, it is a business issue, not an IT one, and it is essential that every part of your team is on board with your plan. One size never fits all, according to Cloutier, who spoke recently at the Center for Information Management Studies at Babson College in Wellesley, Mass. Just remember, 65 percent of all terrorist attacks are targeted at business, not government. And more importantly, there is plenty to lose if a business database is hacked successfully. Two-thirds of these attacks come from inside a company.

That's why protecting the perimeter of your system is not enough, according to Scott Matsumoto, principal consultant at Citigal, a consulting firm in Dulles, Va. "Software security is not security software," he said. And Cloutier advised that CIOs will never be able to sell security as a company asset to the CEO unless they think like a CEO. That means emphasizing the importance of protecting the supply chain and the company's intellectual property. In addition, he advises that security be sold as a service, with the business units taking responsibility for the level of risk they're willing to tolerate.

For more on how IT security pays off:
- Check out this SearchCIO article