In Depth
Interview with Tom Ridge
Former DHS leader Tom Ridge talks about the practicals of communication and collaboration
By Katherine Walsh
One struggle of CIOs and CSOs right now is convincing upper management of the ROI of security: It’s the challenge of selling security. How do you go about doing that?
I have a lot of empathy for CIOs and the CSOs because when they would like to beef up their IT systems and want to embed preparedness and recovery plans into their networks, they have to go to the CFO and CEO and say, “I need X number of dollars to do this,” and the first response they’re going to get is, “What’s the risk? What’s the threat? That’s a big expense, where’s the ROI?” But I think in a more globally competitive marketplace, a more interdependent marketplace—a post-9/11, Sarbanes-Oxley world—there are far greater vulnerabilities to a commercial enterprise today than ever before. It’s not just about profitability, it’s about the intangible asset—your brand—that’s at risk. I would hope CFOs and CEOs and boards of directors would pay a little more attention to the risk assessment rendered by security officers or information officers when parceling out annual budgets. You have to manage the risks, and there are certain ones that need to be managed regardless of ROI. People buy insurance and hope they never have to use it. At the end of the day, that’s an enormous expense. But it’s an expense that we use to safeguard [against] the possible undermining of our brand or profitability. There are all kinds of pressures—quarterly returns and market expectations—but given the nature of the competitive world and the interdependency of the marketplace, 9/11 and Sarbox, we better start paying a little more attention to CIOs and CSOs.
What is the most important thing these executives can do in their organizations in terms of business continuity and disaster recovery?
There are occasions in which the CSO or CIO can make a case for an additional security investment that has economic benefits. Perhaps it makes the commercial enterprise more productive or more efficient. You have to go on a case-by-case basis. The best way to convince the business you need to spend more money is to show it will yield a security benefit and a productivity benefit. But you can’t ignore the reality that even if you can’t show a strict ROI, these are expenses that buy you some extra protection in a world of greater vulnerabilities. And that expense, compared to the cost if something goes wrong—if your supply chain is disrupted, if there is criminal activity or a disaster or a terrorist strikes—is minimal.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- A Security Blueprint Delivered From within the Network
- Understanding Data Location is Imperative for Data Loss Prevention
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
