Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies' IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.
We've been talking the risk talk for years. Now it's time to walk the walk, as a team.
What does that mean, exactly? We need to articulate the value proposition for our security spending--what the business is gaining--in a manner executive management can digest. Sure, there's been pressure before to associate business risks and the cost of corresponding controls, and plenty of CISOs have slung plenty of shaky financials.
Drop the charade. Commit to shifting the focus from fire drills to the business of information security, and you can finally move from being a cost center to a strategic asset that delivers a real competitive advantage. "Our holistic program for identifying and managing IT risk has moved our culture from risk awareness to risk intelligence," says a director at a medical device company. "We have been able to educate the business and help them understand that IT risk is business risk."
Company size and vertical industry don't matter here. Large enterprises have skin in this game because their executives are accountable and their reputations are on the line. Smaller businesses that provide services or products to large enterprises care because their customers expect them to meet rules and regulations, whether PCI, HIPAA, or state-level data privacy laws. Bouncing from one tactical project to another without a master plan is a losing proposition. We've found that companies that manage risk more effectively than their peers perform better financially--in any economy.