I recently spoke at a CW500 event on enterprise security architecture as an opportunity to close the gap between the business needs and the capabilities of the information security profession, writes Mark Brown. It was well-attended and led to some interesting discussion among attendees, mostly security professionals. The discussion continued after the main event and one question was on the lips of every speaker: “Does the industry truly understand what we are saying?”
I have been pondering this for a couple of weeks now. I remain convinced that, unfortunately, most infosec professionals remain focused on “keeping the lights on”. In other words, they operate in an IT comfort zone, rather than accepting they need to adapt to a new progressive approach to information security that aligns it to business requirements.
Enterprise security architecture, in its many guises – Togaf, Zachman and Sabsa are but a few frameworks – provides an opportunity for information security professionals to identify with and embed themselves in the wider business. In doing so they will be forced to review how they enhance effectiveness across business strategic intent and become an enabler, rather than be seen as one who puts up obstacles to the business.
The obvious question is, if the means to achieve a new approach to information security are there and known to our profession, why are we not operating an information security management system aligned to enterprise security architecture?
Ernst & Young’s latest Global Information Security Survey identified that 85% of UK companies surveyed believed their information security function was not meeting the needs of their business. 62% of companies surveyed, on the other hand, accepted their information security function was not aligned to enterprise architecture and 40% of respondents accepted that information security was not aligned to enterprise risk appetites.
So there is an issue here to tackle for which we need a new role for the information security professional in a modern organisation. In my experience, our colleagues that truly become part of their organisation are focused on three key issues:
- Optimising its financial performance and minimise financial risk;
- Protecting the brand reputation of the business;
- Protecting and enhancing customer loyalty.
So where does keeping company information systems and information secure come in?
Those responsibilities are still under their remit, but they should be accepted as a tactical component of a larger requirement that will enable businesses to operate their customer base safely and securely.
To take that step and close the gap between what the business requires and what our profession currently offers, moral courage will be required across our industry. We must be brave and recognise our failings and accept that, to survive as a necessary component of the business, we must first understand what it is trying to achieve.
If we want to be accepted as a crucial member around the decision-making table, to be recognised as leaders not followers, we must embrace change and redesign our approach to information security. As a profession we must demonstrate how we can deliver business results through our function. Instead of looking at the existing landscape and how they can rework it, information security functions should undertake a fundamental redesign, allowing for innovation and incorporating new technologies.
Our expert teams can get there by following a few simple steps:
- Identify the real risks: An effective strategy will include technologies and issues such as cloud, social media, big data, mobile computing, globalisation and borderless, rather than just “bolt-ons”;
- Protect what matters most: An information security framework should assume that breaches will occur and so planning and protecting is more important than detecting and responding;
- Embed information security in the business: All employees, functions, business units, projects and so on have a role to play and should understand the risks;
- Sustain your information security programme: Keep information security frameworks effective, up-to-date and responding to the real risks with compliance measures, self-assessments, incident follow-up, continuous learning and improvement measures.
At a time when our profession is in higher demand than ever before and discussed at the highest levels of government and business on a regular basis, can we afford to miss out on this opportunity?
Mark Brown is director of risk & information security at Ernst & Young
This was first published in March 2013