Corporate Boards are composed of accomplished professionals and their main purpose is to govern a commercial entity by establishing broad policies and objectives. The Board also accounts to stakeholders on the overall performance of a company.
Board members are undisputedly busy people who have to grapple with varied and difficult aspects of directing a company, especially so in the current harsh economic climate. It is however clear that most Boards under-appreciate the importance of ICT security to their companies.
The importance of implementing ICT security measures in a company is usually misunderstood. This is due to one primary reason. Most Boards struggle to see the value of ICT security because it does not provide a measurable Return on Investment (ROI). This is understandable because an average computer user would find it hard to quantify the ROI on that antivirus program that he/she purchased one year ago.
The question can thus be framed - what positive impact does ICT security have on a company’s bottom-line? We can even go further and ask ourselves whether it would be possible to calculate the ROI on the high perimeter wall and strong window grills we have built in our homes.
Corporate Boards should understand that ICT security is not an investment that provides a return. It is not like a new shamba or a new boda boda motorcycle who’s ROI can be measured.
ICT security is an expense that pays for itself in the cost savings. In other words ICT security is about the loss prevention, not about the earnings. This loss prevention also affects a company’s bottom-line.
For example a company with a weak access control system would most likely suffer from frequent hacking attacks. Their credit card database would be attacked and this stolen data used to commit fraud. The business would suffer because customers would no longer trust this company and would move to the competition.
If, however, this same company implements robust access control measures it can reduce the chances of being hacked to zero. This loss prevention would positively impact on the company’s revenue and reputation.
IT professionals therefore need to present a compelling narrative to corporate Boards that will result in behavioral change.
Corporate Boardrooms in Kenya should conceptualize ICT security as a loss prevention process and not a measurable ROI exercise. They need to ensure that management implements an ICT security framework and that all employees know about it and more crucially understand it.