Business and security alignment is as important as business and IT alignment
Managing reputational, operational, and financial risks is important to a successful security environment
Bottom line: New technologies have transformed everything in business security and risk management
Technologies have improved and transformed your business processes. Cloud computing, mobility, Bring Your Own Device (BYOD), social media, and Big Data have reduced the friction that once slowed business. They have erased the boundaries between your company and the world. Information technology departments and business executives have been drawn together like never before to enable these new technologies.
The growing wave of connected devices is fueled by the dramatic drop in the cost of networked sensors. This means better monitoring and management of a wide number of devices and work processes. But this also means your network will add thousands of low-cost products with little capacity for complex security software. Cyberdefense for IoT will live inside the network architecture and require rethinking endpoint defense.
Moving forward, every enterprise must rethink their place in today's connected world. But too many business leaders are unaware of just how much has changed and how tempting their company may now be to cyberattackers. Consider the construction company whose board reasoned they were not a target since they didn't keep credit card information like a retailer. Their security adviser asked about their 50,000 employees, each with a Social Security number. And the company had a large bank account, stored payroll information, and Intellectual property. They were definitely a target.
VP of Security Solutions AT&T
Here's part of the problem: Too often security remains one step removed from the officers and directors of the company. Security is seen as a technology issue. But security is first and foremost a people issue.
The good news is that more security leaders report directly to a C-level officer.80 This will help elevate security to where it belongs: top of mind from the top down.
No enterprise can afford to turn away from the promise of social, mobile, Big Data and the cloud. CIOs have made giant strides in aligning IT with business needs. Now boards of directors, officers, and business executives need to find common cause with security leaders so that it becomes everybody's job to align security with business.
Here are the AT&T Keys to security/business alignment in tomorrow's security landscape:
Culture. Security needs to be a cultural pillar that is promoted, practiced, and valued from the top down. Training is one way to promote security awareness into employee culture.
Planning. Business goals should be shoulder- to-shoulder with security strategy driving technology and business decisions; risk, governance, and compliance are key ingredients in all decision-making. The earlier security enters the planning the process, the more secure the result.
Toolset. Services and solutions need to be in place to protect and defend against breaches. Leaders should become conversant with umbrella technical terms like threat management, layers of security, cloud-based management services, and the modern advanced perimeter defense that drills down to individual device protection. These tools can be controlled internally or in cooperation with external partners. Your IT leaders have hardware options (firewalls), software tools (intrusion detection, anti- virus, email gateways, mobile device management), and policy systems (defense in depth) available. Security managed service providers or consulting organizations can help you fill any tools gap, and benchmark your cyberdefenses against comparable companies.
Partnerships. Identify the security stakeholders and sync them to a common goal across the organization. Security/ business alignment depends on these relationships.
Financial Support. Ensure security spending is a priority. Policy and spending decisions are determined by risk, security, intelligence, and data.
There's a lot at stake. The infamous 2013 attack on Target has cost the company $162 million and counting. That does not include the damage to Target's reputation or the lives of the executives who have lost their jobs.81
As a business leader, you make risk decisions on a daily basis: Should you invest in a new market? Should you launch a new product? But how often do you ask, “Is entering this new market going to expose our business to cyberrisks we may not be able to defend against?”
Honestly, most executives are not equipped with the information to properly answer that question, but they need to educate themselves, and they need to do so quickly.
The reality is that every single business or organization, no matter how large or small, is a target for cyberattack. From a business standpoint, risk associated with cyberattacks takes on many forms:
Reputational. The damage to your company and brand caused by a cyberattack.
Operational. Your ability to continue operations in a manner determined by the business leaders.
Financial. Loss of customer revenue and the cost of replacing lost customers, for starters, followed by fines levied by regulators, costs of remediation, legal fees to resolve class-action lawsuits and the need to deal with government actions that may hit soon after the breach.
Liability. Inherent liability of damages resulting from the cyberattack.
How to spot the risks. What are you doing that increases your risks, and what are you doing about that?
How to assign value to those risks in terms of impact on the business, both financially and operationally. A focus on data here is critical—what do you have, where is it, and what is it worth?
How to know the downside. What are the ranges of outcomes from cyberrisks?
How to address those risks. How do you handle mitigation, avoidance, acceptance, and insurance?
Dr. Tina Hampton
AVP of Security Innovation AT&T