When I began my security career, shortly after the Y2K scare, there were many conversations about security as a roadblock. “Can’t do that ‘cause security won’t let us!”
Most of the time security had the best interest of the company in mind, but other times it was because security professionals didn’t always understand the business objective. Silos existed in IT, IT Security, Business, and Customer Service. In some companies, they still exist. Think about what they each have to do:
- IT needs to keep the lights on;
- IT Security needs to keep data protected;
- Business needs to make money efficiently; and
- Customer Service needs to keep clients happy.
Is it even possible for these to all co-exist and be successful? Security, like much of IT, is a cost center. The common thought is it is necessary, but doesn’t generate revenue. How many widgets have to be sold just to purchase encryption licenses for all your laptops? We as security professionals must strive to change this mindset.
Pressure from Customers
Now, my clients approach me more often for guidance about the pressures they face from their customers – and they need to keep this business! Customers are relentlessly questioning how their security is implemented, what controls are in place, what is your Information Security Management Program, when can I ‘pop-in’ for a site visit, etc. The pressures are real and business is being taken elsewhere or delayed until proof that strong security controls are implemented, maintained, and monitored.
New Role – “Security Questionnaire Responder”
There is a new role developing in security – ‘Security Questionnaire Responder’ – and many companies have found this to be a full-time need. In my four years leading a security program at a large organization, I saw a 900% increase in the number of questionnaires we had to respond to. A lot of work, yes, but on the plus side, my one, three, and five-year security roadmaps were finally getting additional attention. Now the question was how many widgets are you NOT going to sell if we don’t install that encryption?
Why the Sudden Swing?
Sure, companies are afraid of the outcomes of not properly protecting data. They don’t want to be in the headlines so they must execute their due diligence to ensure their business partners are secure. But we’ve operated too long with a false sense of trust. We want to trust that our partners are going to protect our data, but what if they can’t protect their own?
It is About Trust
Trust is not an easy thing to earn today and can be costly. My conversation with CEOs, CIOs, and CISOs alike is “Let’s use security to enable your business to do more – set yourself apart from the competition!” By meeting with business leaders outside of IT, we gain a deeper knowledge about what they are trying to achieve and the outside factors (regulations/clients) that can heavily affect the bottom line. It also gives us the ability to discuss the industry-specific threat landscape and identify key areas of risk.
While we gain visibility into the business goals and strategies, we must provide intelligence in business terms about the threats and potential costs of an executed attack. From there, we can discuss the custom response strategy for organizations to implement and execute the proper controls around people, process, and technology – before an attack occurs.
Only through these strategic discussions, education, and proper execution can we help our clients build trust and enable their business to succeed through outcome-focused security.
This post was written by Luke Klink, Advisory Services Lead, Rook Security