IDC hosted its annual U.K. security conference on March 28. A clear theme emerged during the keynote presentations, roundtable discussions, and informal interactions — the need for security to act as business leaders, not “just” technology leaders.
Security Leaders as Business Influencers
Unisys Chief Information Security Officer (CISO) Mat Newfield highlighted that 60% of board directors cite cybersecurity as their top concern. At the same time, however, 60% also do not feel confident in their CISO’s ability to have a business conversation. Clearly there is a disconnect. Despite this, IDC believes we are on the verge of a new era of collaboration between security and the business.
The door is open for security teams to play a much more strategic role within the business, but security leaders must develop in order to grasp that opportunity. Security leaders have tended to come from technical backgrounds, yet the demands placed on roles such as the CISO are increasingly business-centric. A primary takeaway from the event was the recognition that security leaders must evolve beyond technology experts to become business influencers.
The word “influencer” is critical here. It was also highlighted that it is not security’s role to take decisions out of the hands of decision makers, but rather to make sure that they are informed enough to take those decisions in the best interests of the business. In the words of one conference delegate, “Let the business lead. Security’s role is to provide the right framework to guide the business through.”
Raise Awareness, Minimize Risks
A big part of this role for CISOs and other security leaders is to raise their organizations’ security awareness, and even to build security into organizational culture. IDC’s research indicates that this is one of the primary business outcomes that security can enable (alongside factors such as operational efficiency and providing the digital trust to enable digital transformation). As suggested by Marc Lueck, CISO of Company85, there is an opportunity to transform the way security teams view end users: rather than being a threat, proper awareness can “recruit” employees into the security team.
By embedding security into “business as usual,” organizations can pursue resilience in the face of the ongoing security challenge. As highlighted by Tony Wand, U.K. sales manager at StorageCraft, when businesses suffer an incident or a breach then the key to success is not to stop every potential attack. As pointed out by Unipart Interim CISO Sue McCauley, even the best prepared organizations can (and will) suffer a breach. Rather, Wand stressed that the ability to get back up and running is critical.
Outcomes such as awareness, culture change, and resilience provide opportunities for security to demonstrate business value. However, a shared concern aired at the conference was the need for a common means by which to measure security’s impact. Another key learning was that risk is emerging as the reference point through which security concerns can be expressed as business terms.
In developing risk-aware approaches, CISOs and other security leaders have happened upon a means by which to provide the board with the framework that enables business leaders to take decisions within an informed security framework. As highlighted by most of our speakers, by comparing metrics such as the value of assets at risk in the enterprise with options on the cost of mitigating that risk, business leaders can plot a course to their desired balance of risk appetite and security investment. This is exactly the kind of guidance and framework that security leaders must start facilitating to assume their rightful place as business leaders and influencers, leaving behind their past as technology specialists.
Join me and my team at our now regular breakfast briefing on the middle day of InfoSec. Register here!