Everyday businesses make decisions. The saying, “it’s a business decision,” is loathed by some in the security industry and largely because security was not involved in the decision.
Many of these decisions should involve the security team. However, this assumes security’s embedded into the business and not on the outside looking in. Anyone who’s been at this for a while knows that this is easier said than done.
The challenge is that many of the business decisions to “accept the risk” are not fully understood, especially when it comes to handling sensitive data. Sure, businesses deal with risk daily so this is nothing new.
However, security can be very different. It’s different in that many other decisions made don’t assess possible security implications from many different angles. The security impact worthy of analysis may be in the form of regulations, third-parties, access controls, legal, data classification, and architectural design, just to name a few. Yet without security teams better connected to the direction of the company, “accepting the risk” may yield uniformed decisions which can have future negative ramifications.
However, if security is involved upfront and has a chance to advise leaders on their choice, at least it’s a totally-educated business decision. In the end, sometimes we agree to disagree.
There’s been a lot of discussion lately about creating a security culture. A security culture is more than lip service and is crucial.
Sure, security is important to every business. No self-respecting business is going to come out and say it in any other way. The difference is in action, not words.
Action in that security is seen as a strategic partner and not an inconvenient speed bump. Action in that the alignment of the Chief Informaiton Security Officer (CISO) has unobstructed access to leaders, including the CEO, to influence his or her team as a strategic partner. Action in that achieving compliance is not viewed as a successful security program. Check!
In just one recent example, the FFIEC’s press release mentions in their first bullet “setting the tone from the top and building a security culture.” Furthermore there’s emphasis on aligning security with business strategy.
Ideally it wouldn’t take something in writing for this to take shape and for that matter simply be told what needs to be done. However, in the absence of execution, regulators step in and provide oversight into what needs to be done in the first place.
It can be perceived that it’s more obvious than less that business decisions are being made without security teams having a chance to be in the know. Many will look at this and say it’s a failure of security teams because they haven’t been able to maturely make their mark internally.
While that may be true for some, not everyone should be painted with this brush. Readers of Dan Geer will likely agree with his repeated wisdom, stating, “cybersecurity is the most intellectually difficult profession on the plant.” The uphill battle will persist, but it seems as of late, more are turning the corner and maturing their company to include, rather than exclude, security.
Creating a security culture is also a business decision. At some point along the way investments in security, and not just product, is required in order to influence the human capital. Getting a seat at the table without a solid security culture is easier said than done. For those who’ve yet to get a seat at the table, there’s needed reflection as to why business decisions are made without involving security.
One key area to consider is evaluating the security alignment to the direction of the business and what matters most to the business. While this again sounds obvious, it’s not a bad statement because many teams are not projecting the right message to management as to how security is aligned with their strategy.
Security often reports on things such as attacks stopped, patching success rate, and speed to update signatures. All of this is good data, but it doesn’t likely match what matters most to executives.
For example, executive may track things such as lost customers, lost inventory, and number of units sold. How does patching a webserver correlate to lost customers? Security teams realize the correlation, in that one protects the other (i.e. patched servers yield hardening which means a less vulnerable server at risk for compromise which could lead to lost customers).
As such, security teams must ensure their measurements align with what the business is concerned with, as well as other technical data. The technical data will likely not surface to the board room. However, the alignment as it relates to the strategy of the business would, and should.
There is movement in the right direction as of late to help shed light on the need for security cultural improvement. It’s necessary to help teams collaborate and align with the business in order to better protect what matters most. The failure for this to occur will lead to more business decisions where the risk is accepted, but where the true understanding of the security risk is not fully known.