As a Finance Director, I have a legal duty to ensure that my organisation is financially viable, and the Treasurer of a Local Authority has a similar legal duty. Our financial system(s) enables me to monitor our financial position and manipulate the data to provide reports and "What If" analysis of the figures, but that is secondary to being able to ensure that invoices go out on time and cash flow is monitored.
Everyone thinks that the part they play in an organisation is important and they are right, but "Cash is King". If we have no money, no one gets paid and the organisation goes into receivership.
What does basic economics have to do with ICT security, you ask? Well what do you think would be the impact on the finances of an organisation, which could not access its customer database, or had its financial data distorted? How successful would your product launch be if your presentation was known to your competitors in advance?
It could be a case of front-page headlines for a public sector organisation that was unable to keep personal details safe and secure.
With an ever-increasing service knowledge sector, it is not necessarily what you physically make in a factory that counts, it's what you do with the information you own and produce that brings in the revenue. If you lose control of that data, you lose your business.
The damage may not be immediately visible, nor can you often quantify the loss (you need the computer system to do that), but it will be real, all the same. The real question is what could the potential damage be:
* A drop in your share price,
* Loss of customer / client confidence,
* Unwillingness for business partners to share confidential information in future.
* A reputation for incompetence at best and a prosecution / fine / legal action at worst.
* Inability to identify creditors and debtors.
* Loss of business to competitors.
Traditionally when investing in security, intangible benefits (often difficult to measure in financial terms) far outweigh the tangible benefits (easier to measure in terms of cost savings).
This causes Finance Directors difficulties, as they are trained to look for cost justification prior to committing a budget.
(How many times has the Head of ICT promised savings from new computer systems that somehow never appear?) Typically their focus is on `financial audits', revenue growth and cost reduction, plus a fiduciary duty to protect the assets of the company. The `financial audit' is used to...