My passion is the connection of security to the business objectives, and it has been a part of my work with many CISOs across industries as well as my experience as a CISO. This blog series a compilation of my learnings as a CISO, as well as learnings from peers and customers who are actively working to figure out how to best align security organizations with their business. This first blog will cover why it is so critical for a security organization to shake off the total compliance mindset and be balanced with a focus closely on aligning to the business of the organization with a clear risk-based approach.
It is not news that the world changed in the last two decades through digital transformation and the requirements for security have also. Initially, it was mainly focused on protecting the network and building virtual walls around the digital assets of a company. The fast evolution of mobile technology, globalization, and digitalization has disrupted standard assumptions for business and they are transforming to adapt, and security needs to be in lock step or better yet – to lead this journey. The world is not what it used to be as it looks more like the graphic image below:
Security must be closely aligned to the business it serves and protects against attacks by the criminal groups working on the Internet. Crime went digital– from vandalism to classical crime to nation states. The business, on the other hand, gets disrupted and must change at a speed never seen before. This is the place, where security needs to be.
Security must enable the business transformation and ensure acceptable business risks. This is a non-negotiable truth as security’s sole purpose of existence is to protect the organization that employs it. This is more difficult than it sounds because security started as a purely technical discipline with a common belief that success was achieved in compliance with standards. Many organizations are on the journey of shifting this mindset to a risk-based approach and a deep alignment with their business counterparts. This is a major shift for the security organization as it requires major cultural changes, different priorities, changing of processes and habits, as well as technology changes. I have seen a lot of security people “hiding” behind their policies instead of helping the business to be successful. This is not solving any problems in today’s world.
Regardless of your industry, compliance does not bring security – good security brings compliance. Success in security is all about running a reasonable risk management and risk mitigation program, which is leveraged and often even driven by the business leaders, and which clears the way for the business to be successful in a frequently hostile environment.
Chief Security Officers must re-think what they do, re-think the way they look at the world and constantly try to disrupt themselves. I recognize that this is something people in security are typically not good at, as most of us had been taught risk avoidance during our careers (sound familiar?).
Disruptive changes require going against this nature and taking risks where the outcome is uncertain. While this is uncomfortable, it is critically important for our future success.
Looking at it from a more outward view, the CSO has different constituencies to satisfy:
- Top-Management: The top management wants to understand their key cyber risks, what they need to do with them and whether they invest the right amount in the right location. “Key risk” means comparable to the other business risks they must deal with. CSOs need to keep this in mind: The CEO has a lot of business risks on his/her table and the Cyber risks have to be aligned with them. Typically – as a rule of thumb – we might speak of 5-8 risks, where the CSO needs to see action and support by the CEO and the board.
- Employees: Looking at the employees, security needs to enable them to run their business successfully and with acceptable risks. It is not about security or productivity, we talk of security AND productivity.
- Customers/partners: Obviously, customers and partners have a certain expectation about what the supplier does with their data and how they protect them. This is not “only” compliance to data protection regulations, but gaining trust.
- Regulator: Regulators are heavily challenged by today’s situation. Rules which were valid a few years ago, do not apply anymore. New definitions of sovereignty need to be developed. Modern technologies suddenly change the rules of the game as it was known. Most regulators need help and they want to listen to the industry if the discussion happens with mutual respect.
- Security Community: The security community is often ignored by companies, which can lead to rather dramatic security challenges. Think about what happens if somebody finds a vulnerability in an infrastructure and wants to responsibly disclose this vulnerability to the security organization. How do they find the right people and process? How are they dealt with?
Security needs to be re-thought and certain base assumptions need to be disrupted and re-thought. Progressing digitalization, as well as emerging technologies, will challenge the thoughts again and security functions will be constantly forced to look for new and creative ways to support the business. Our stakeholders are moving fast and so must we. We need to get more in a DevOps approach and align closely with the fast-moving criminal landscape, the fast-moving technology, and the fast-moving business.
For more information