Security Think Tank: A risk-based approach to security is key to business alignment

How can information security make business sense?

For a forward-looking and dynamic field, heavily invested in business change, it is surprising that information security is so often seen to be failing the business it serves.

Information security professionals would be wrong to assume that their work is not valued, or that senior management cannot see its potential benefits. 

The UK Government even acknowledges that good cyber security could present a national competitive advantage.

However, for every manager who is bought in to the need to conduct business in a secure manner, there are usually several who see information security as the corporate policeman, sitting in an ivory tower and handing down compliance missives as though they were boiling oil to be poured on any invading employee who dares to cross the moat.

This picture however seldom represents reality. 

What it does reflect is a deeply embedded conflict - between the need of an organisation to be flexible, responsive and lean on one hand, and the need to manage and control risk and to act in a considered and responsible way, giving due attention to all stakeholders, on the other.

Corporate war zone

Information security sits right in the middle of this corporate war zone.

To change perceptions and be seen as a critical part of business success would be no mean feat. 

However, there is no shortage of tools to do it. It is not always about what we do, as much as how we go about it, and how we communicate it.

Information Security cannot sit in a silo. It is both a technical discipline and a risk discipline and needs to fit into corporate governance and risk management structures, as well as IT ones.

Risk-based approach

That means a risk-based approach based not on how we perceive security risks, but on how the whole business perceives its security risks. It also means making sure that reporting is appropriate and meaningful to its audience, which will often be senior management rather than technologists.

It also means embedding security into business processes, particularly those outside security’s responsibility. 

For example, if you have decided to implement TLS (transport layer security) for email traffic with key domains, build the set-up into client take-on and supplier management processes rather than identifying domains retrospectively.

If you need to assess third-party security risks, rather than going it alone, you could build this into procurement and wider risk assessment processes. That way, other parts of the business will begin to see information security as a part of their role.

Running a political campaign

Finally, we need to remember that getting across the security message to staff and managers is like running a political campaign. It requires constant reinforcement for key messages, visible response to events, countering negative behaviour, a problem-solving approach and a recognition that every victory is just the trigger to raise the game further and get ready for the next campaign.

Get it right and the business benefit is undeniable. Information Security can lead organisational maturity, helping to standardise processes, reduce errors and failures, build credibility, meet compliance and regulatory requirements and ensure a scalable, reliable, flexible and future proof environment for change and growth - while only taking risks the organisation can afford to take.

Get it wrong, and that credibility can easily be lost. 

Sony and Nasa, both once envied for their success, innovation and ability to create the future, have been redefined as organisations that lost the plot on data and so lost the trust of their key stakeholders - in both cases at incredible cost.

It is rarely easy for information security to demonstrate return on investment (ROI) – what value the customer you never won, because you lost their trust? 

What we can deliver is customer and stakeholder trust and enhanced organisational competence. 

Right now, most organisations would value more of that.

Matt Palmer is a member of the London Chapter ISACA Security Advisory Group and Divisional head of Information Security for EMEA at a global bank

Read more on Privacy and data protection