How can security play a central role in enabling business growth?
The business case for information security has finally been recognised, writes Simone Seth, senior research consultant at the Information Security Forum.
Rather than being viewed as an unwanted necessity and expense, information security is now seen as a valuable contributor for protecting and managing brand image. It is also critical for satisfying regulatory compliance requirements. As a result, savvy business leaders are leveraging information security to distinguish themselves from competitors.
Organisations need to address two aspects of security spend - baseline investments and risk-based investments. Over the past three decades, organisations have become adept at making baseline investments needed to safeguard enterprise operations from known threats and vulnerabilities. This typically includes investment in firewalls, anti-virus and intrusion detection systems.
The opportunity to make risk-based investments - that is, security investment targeted to address business operations that are high risk and possibly high return - continues to pose a challenge. New security products, coupled with open architectures, allow organisations to invest in new classes of applications and business processes. Business models are constantly changing and the security function needs to be agile, to enable and facilitate the accomplishment of business goals.
Security investment should be targeted towards managing areas of high business risk. However, the success of a risk-based security investment strategy is predicated on a clear understanding of the organisation's risk appetite and risk profile; yet business leaders and security practitioners often lament the difficulty in understanding and managing risk.
Security leaders need to create the means for business objectives to be realised in a way that does not compromise baseline security safeguards already in place. They need to evaluate new technologies and refine processes to ensure interoperability with the existing security model, while achieving new business objectives. This is certainly not a trivial endeavour. However, if strong communication links are established between business leaders and IT and security professionals, and a shared vision that drives success rather than adopting a blanket risk avoidance approach is adopted, security can serve as an enabler for business.
Read more expert advice from the Computer Weekly Think Tank >>
This was first published in September 2009