In Depth

Interview with Tom Ridge

Former DHS leader Tom Ridge talks about the practicals of communication and collaboration

By Katherine Walsh

Page 3

One struggle of CIOs and CSOs right now is convincing upper management of the ROI of security: It’s the challenge of selling security. How do you go about doing that?

I have a lot of empathy for CIOs and the CSOs because when they would like to beef up their IT systems and want to embed preparedness and recovery plans into their networks, they have to go to the CFO and CEO and say, “I need X number of dollars to do this,” and the first response they’re going to get is, “What’s the risk? What’s the threat? That’s a big expense, where’s the ROI?” But I think in a more globally competitive marketplace, a more interdependent marketplace—a post-9/11, Sarbanes-Oxley world—there are far greater vulnerabilities to a commercial enterprise today than ever before. It’s not just about profitability, it’s about the intangible asset—your brand—that’s at risk. I would hope CFOs and CEOs and boards of directors would pay a little more attention to the risk assessment rendered by security officers or information officers when parceling out annual budgets. You have to manage the risks, and there are certain ones that need to be managed regardless of ROI. People buy insurance and hope they never have to use it. At the end of the day, that’s an enormous expense. But it’s an expense that we use to safeguard [against] the possible undermining of our brand or profitability. There are all kinds of pressures—quarterly returns and market expectations—but given the nature of the competitive world and the interdependency of the marketplace, 9/11 and Sarbox, we better start paying a little more attention to CIOs and CSOs.

What is the most important thing these executives can do in their organizations in terms of business continuity and disaster recovery?

There are occasions in which the CSO or CIO can make a case for an additional security investment that has economic benefits. Perhaps it makes the commercial enterprise more productive or more efficient. You have to go on a case-by-case basis. The best way to convince the business you need to spend more money is to show it will yield a security benefit and a productivity benefit. But you can’t ignore the reality that even if you can’t show a strict ROI, these are expenses that buy you some extra protection in a world of greater vulnerabilities. And that expense, compared to the cost if something goes wrong—if your supply chain is disrupted, if there is criminal activity or a disaster or a terrorist strikes—is minimal.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Manage your IT more effectively

Simplify your data center with Juniper Networks. View the webcast

Understanding Data Location is Imperative for Data Loss Prevention

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

Any company can promise identity protection. Only Debix can prove it

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

5 Steps to Secure Outsourced Application Development

Efficient - Flexible - Compliant

Enabling Compliance with Converged Mainframe Security and Storage

Taking the Botnet Threat Seriously

Secure your virtual and physical environments with the same software

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Get in Compliance With Government Data Regulations