11 key areas security needs to address
The threat landscaping is constantly changing. I believe that security has grown up to find its place and value in the business today. In talking with clients across industry verticals, we see that the CSO (Chief Security Officer) is being asked by business executives what is being done to combat these threats.
The CSO has to articulate to the business that information security has become a business enabler and is critical for organizations. It is important to explore information security from a business point of view with the premise that investing the time and resources needed for security risk mitigation produces excellent returns from a business perspective.
I am sure this sounds easy, but the difficulty is to be able to find ways of measuring the value of information security. It is key to ensuring that security investments yield suitable business returns across the enterprise.
Based on conversations with organizations, we see that many don’t understand the value of the information within their enterprise. At the business unit level, there is a lack of understanding about information risk. Security is not equal to compliance, but the reality in most organizations is that they are synonymous. Regulations are looked at as a necessary evil, but paint themselves as a solution to an ever changing problem.
Information security has become a business enabler and is critical for organizations.
So what does security have to bring to the board today?
- Security must add value to the business
- Business owners want better performance, value and brand recognition
- Security must not be in there just for the sake of security
As a security professional, I feel we have to work on these 11 areas:
- How do we change the perspective of our Business Partners with respect to security?
- We need to understand the drivers of organizations
- It is important to build relationships that encourage open dialogue
- We have to get away from the fear of bad press, customer loyalty & market cap
- We should help change the attitude that our focus is all about the money – or in our case – the revenue
- We need to change F.U.D. Fear, Uncertainly, & Doubt into Facts, Understanding, & Dialog
- We need to find ways to fix business challenges – not just look at security as a challenge
- We need to realize there is a reason users embrace tablets or Smartphones … what business issues are they trying to solve?
- Reports should show risk within various business units as well as overall enterprise risk
- We need to continue educating users about more than business risk
- We should help users understand the risks – because most don’t