The good news is that IT managers don't have as tough a task as they used to. If last year's events served as a wake-up call for business-security vulnerabilities, it also made it that much easier to ask company executives to invest in a solution. "I can say that it probably scared people enough that it's not a sell job," said Karlin Bohnert, chief technology officer at energy company PacifiCorp.
Financial-services company ABN Amro North America kicked its security efforts into high gear after the Nimda and Code Red viruses ran their course, senior VP and chief information security officer Sharon O'Bryan said. Her position was created following those infestations, and she has direct access to the board of directors, so it's easier for her to make a direct business case and promote security, she said.
Nonetheless, many IT execs still face an uphill battle convincing their bosses to invest properly in security, since the returns are largely hypothetical. "You're not going to get the ROI of the classic IT investment; it's a different business case," Bohnert said. Instead, managers need to find real-world examples of companies that weren't secure and got burned, helping execs understand that their return on investment is avoiding that unpleasant scenario. "You cannot sit there and say, 'it's a defensive posture,'" she said. "You have to say, 'here's what could happen to us.'"