With the RSA Conference next week, the biggest conference of the year when it comes to enterprise security management, now is an ideal time to look at how IT and security leaders keep security efforts aligned with business objectives.
There’s a reason why attaining adequate and consistent information security is one of the most challenging aspects of technology management today. The business needs to push IT as far as it can to compete. The CIO and business leaders need to provide the applications and access to data to help people be as productive as quickly as they can be, and get the business services and features to market that customers seek. The role of security, however, is to make sure all of this is done in a reasonably and adequately secured fashion.
This obviously causes a natural friction between the objectives of the business and the needs of the security team.
When this friction between the business and security isn’t properly managed, a misalignment arises—and it’s costly.
It means without executive leadership, security efforts can be sidetracked by the business, appropriate budgets aren’t put into place and overall security and governance efforts are weak. And a lack of healthy dialogue between the security leadership and business leadership will leave misconceptions about the level of security in place.
The Case for Security Leadership
A few years ago a Global Information Security Survey conducted by CSO online and PricewaterhouseCoopers found that 43 percent of organizations surveyed believed that their organizations where information security “leaders.” However, when screened for common attributes of what might be considered common among information security front-runners, only 5 percent appeared to actually have mature security programs.
That’s quite a disparity.
And when we have this much of a disconnect between security and leadership, proactive security investments don’t get funded, there’s no consistent security policy enforced across the organization and executives don’t understand the real types of business technology risks they face.
Fortunately, that is starting to change. According to PwC’s most recent “Global State of Information Security Survey 2016,” boards are today more involved in security budget, strategy, policy and other aspects of information security management.
In my interviews with CISOs and CIOs over the years, it’s hard to find anyone who doesn’t agree that security and business alignment requires healthy and open lines of communication. And this is one of the first places nearly everyone recommends enterprises start if they are not aligned.
Executive leadership is critical when it comes to successfully aligning security and business objectives. This is because information security teams need to make unpopular decisions. They may have to slow down the release of a new service (especially if the only security review came at the end of the development pipeline), require more automated tests or suggest other ways of doing things that may mitigate unnecessary risk.
But let’s face it, without executive backing, these efforts will get run over by the momentum of the business. Does this mean everything security suggests it should get? Of course not, but that’s where good communication comes in: At least business leaders come to understand how technical risks translate into business risk.
What is undeniable is that enterprises with security programs that are aligned with their business and the risk appetite of their organization are going to have more successful in their risk management efforts than those who wing these things.
In an Accenture 2014 report, “The Cyber Security Leap: From Laggard to Leader,” Accenture concluded that “as part of establishing better governance and controls, CISOs should foster a strong working relationship with their boards and create greater visibility into business processes. They need to educate and collaborate to successfully articulate and prioritize business risk, including insider-related risks. The strategy should be continually assessed to evolve with the organization’s posture and get the best use out of resources.” I agree completely. And if more organizations conducted themselves in such a way, there’d be a much smaller gap between security teams and their organization’s board of directors, as well as a tighter separation between security perception and security reality.