0 Results Found
            Back To Results
              Fundamentals
              Leadership

              Making the Shift to Seeing Security as a Business Function

              Three dimensions that better position organisations for security success By: Andrew Matthews

              In our first post inspired by the IDC IT Security MaturityScape Benchmark for Asia Pacific report, we looked at how a company can help its security practice thrive rather than simply survive. Now let's take a more focused look at what the location of the security function within the organisational structure can tell you about the organisation's security posture.

              You will remember that the report measured company security maturity across five dimensions: vision, risk management, people, process, and security technologies. To get beyond the bare bones of security, let's focus on how people, risk management and vision support a strong security posture and benefit an organisation's overall position.

              Without a Forward-Looking Vision, Security Falls Behind

              Companies without a mature security vision, that lack mature people practices and that don't scientifically evaluate risk when making security decisions, often find themselves overwhelmingly clustered round the bottom end of the security maturity scale. Either their security programme is ad hoc, using basic operational measures on a reactive basis; or it is opportunistic, with a focus on tick-box compliance that is, once again, purely reactive. The chances are that in these cases, security is seen exclusively as the province of the IT department. If the organisation has any staff specifically responsible for security, their role will almost certainly be a technical one, with little or no management responsibility, and with a primary focus on firefighting and disaster recovery.

              When this happens, security can take a back seat to more exciting aspects of technology, creating the challenge of maturing one's security programme. Organisations that neglect security are likely to see it as something that is tackled only through the technology dimension, instead of considering all five dimensions outlined above. That's an approach that will keep the company at the lowest end of the maturity scale.

              Moving beyond reactionary security practices requires a clear line of report to senior management; an understanding of how effective security is actually a business enabler; and the presence of a mature security attitude embedded across the organisation.

              It has been amply demonstrated throughout recent years that security breaches have far wider-ranging implications for businesses than the purely technical. Customer trust may disappear, share prices may suffer and IP and other assets may be lost. In contrast, effective security builds trust with clients, end users and other stakeholders and can create a competitive advantage. If security is solely seen as either the responsibility of the IT department or as an operational adjunct to physical security, a mature program is going to be hard to achieve.

              Moving beyond reactionary security practices requires a clear line of report to senior management; an understanding of how effective security is actually a business enabler; and the presence of a mature security attitude embedded across the organisation.

              Adopting a Risk-Based Approach to Security

              In the broadest terms, cybersecurity leaders are responsible for maintaining the confidentiality, integrity and availability of an organisation's information and systems. Historically, many organisations that lack a mature security program associate an increase in security with a decrease in usability, making it difficult to prioritise when evaluated against other parts of the business. This outdated thinking often leaves organisations vulnerable to unnecessary risks. A more mature organisation will base their security decisions on risk calculations. To accomplish this, security leaders need the support of the CEO and board to strike the right balance between the organisational strategy and risk management within the context of business tolerance and resources. This requires a shift in mindset, bringing security out of the IT shadows and into its place as a business function with its own budget, enterprise wide security programmes and equal access to executive support.

              In contrast, when we look at the companies that cluster towards the top of the maturity scale in the IDC report, they successfully manage risk by folding it into the organisations' overall business strategy. Ultimately, businesses that consider cybersecurity risks early on and embed them in the overall strategy are better prepared for challenges with fewer organisational interruptions. For instance, rather than the CISO reporting to the CIO, moving the reporting line to the COO supports the organisation by positioning security to become a direct business consideration that will be risk-assessed like any other, rather than an afterthought after an incident occurs. The attribution of cyber risk into overall business strategy also makes security more visible as a as a whole, with end user awareness immediately enhanced, especially at senior level.

              When the appropriate people, across all levels of business, are invested in cyber security, a natural transition is made – a shift towards creating the appropriate vision to move away from a reactive approach in favour of a business-focused risk analysis. This is a major step towards creating a mature security culture that works towards creating customer trust and genuine competitive advantage.

              In the final blog in this series, I'll be pulling together the findings of the report to discuss achieving optimised security. In the meantime, you can read about how to reduce your risk through detection and response here. And if you'd like to find out how a trusted security partner can help you move up the maturity scale, please get in touch.

              next post

              Achieving Optimised Security

              Andrew Matthews

              Rethinking the risks associated with an immature security model can be the first step to better protecting your organisation Read More

              Related Content