The problem with security
To paraphrase Michael Jackson, “we’re starting with the people in the mirror, and asking them to change their ways.” Too often security professionals blame senior executives and Board members for their failings when it comes to security. Executives are pilloried on Social Media for ignoring their security teams or not understanding the risks posed to their business. This is unnecessarily stressful for the security team and exposes the CISO, especially, in the event of a breach or when the organisation fails to meet its regulatory, legal, or contractual obligations. Furthermore, Executives and Boards of Directors are accepting security risks without fully comprehending the issues or punishments they can face.
Is it everyone else’s fault? Or do we need to look at ourselves and our practices? Security has just become a Top Risk for businesses and the most cited risk for financial organisations. So is it justifiable to accuse Executive, Founders and Board Members of not caring about the businesses continued existence? Or that they are just so blasé about the punishments that they don’t care about security? I would argue that it isn’t. I think we need to take a serious look at ourselves and change how we do security.
The solution: Business-Driven Security
Firstly, we need to change how we present risks: providing a risk register that’s full of colour but little substance isn’t going to help the business prioritise security risks appropriately. How can the business compare a financial department risk of losing £20 million with a security risk of ‘Medium’? What does ‘Medium’ mean anyway? Is it a Confidentiality risk? Integrity? Or Availability?
Secondly, risk professionals must put aside our own biases about what we think is important. Any business is made up of interconnected and mutually supporting departments, functions, and strategies that are often in direct competition for limited resources. Executives and senior leaders need to triage and prioritise these competing needs. Understanding the differing needs of the organisation, and the models, pain points, and expectations on individual departments will help security teams both prioritise and develop truly holistic security strategies that benefit the business.
Thirdly, the other functions need to learn about security. Universities can make Security and technology topics on all MBAs, for example, these are business functions just the same as marketing, finance, or HR, so future leaders should be taught about them. Security teams also need to educate their senior leaders on the benefits of security; as well as the models, pain points, and expectations that security teams are subject to.
These are some of the ways Business-Driven Security can be fostered in organisations.
As a profession, we should stop complaining about our senior leaders, and start enabling them to take better security decisions.
If you would like to discuss more, please get in touch: firstname.lastname@example.org