Many CEOs regard IT security as a cost of doing business. Hord Tipton, executive director of (ISC)2, wants to change that perception and is making it his mission to shift ISC(2)'s focus from the usual security executives to higher-level executives on the business side.

"For so long we have been preaching to the converted," Tipton said.

Business executives are in scarce supply at events like this week's (ISC)2 Congress, which is packed with IT security educational events and sessions. This lack of executive interest can translate into security problems, Tipton said.


"You have to have their support, otherwise we're wasting time and we're operating under what I call a pseudo sense of security," he said. "If they don't believe in it (IT security) or just see it as a nuisance, as opposed to being a profession that enhances and adds to the bottom line, then you will have a really have a hard time getting them involved in the way that they should be."

If high-level executives don't realize the value of IT security early on, Tipton said, the only thing that may capture their attention is a security breach. At that point it's probably too late, he argued.

ROI of IT Security

Tipton has a few ideas for engaging with higher level executives. Understanding what motivates C-level execs is at the top of his list. At some level, it probably involves money.

"You have to understand their business, and you have to express what security adds to the company as something more than just screaming that the sky is falling and bad things will happen to you," Tipton said. "You have to show that sound security does make the company money."

Tipton added that he has yet to find a situation where IT security did not produce a good rate of return on investment (ROI) in a short period of time for a company. In his view, talking about money and business efficiency is the first step in getting the attention of a C-level executive.

Calculating ROI for security, however is not an easy science. "You have to look at it on a case-by-case basis, but there is data that shows what the cost of a data break is," Tipton said.

The cost of data breaches may well be on the decline. The 2011 Cost Data Breach Study from the Ponemon Institute, found a 24 percent decrease in the cost of a data breach in the past year. That said, the cost is still high, coming in at an average of $5.4 million or $194 per lost customer record.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter @TechJournalist.