COMMENT
In the middle of a ransomware assault, supply chain and other cyber attacks against business and industry, boards of directors and other business leaders are keenly aware of the importance of cybersecurity. But only up to a certain point. Many organizations often still view security as a domain unto itself and see security teams as separate entities that operate outside of the flow of the business.
These organizations are missing the bigger picture. Security should be a strategic component of the business, rather than a cost center, because of the value it brings to the business. Security teams not only protect the company, its customers and its shareholders, without whom the company could not operate, but they can also provide truly enabling services.
A new security service that enables customer self-service, for example, does not generate revenue directly, because there is no cost to the customer. But it improves the customer experience, adding value for customers and enabling sales. Security must come out from behind the scenes and create sales opportunities, providing competitive differentiation for the company.
The growing importance of security
IT and security teams have become enmeshed in business operations; it is very rare nowadays that any initiative can be launched without the IT team on board. The growing importance of cybersecurity can also be seen in the evolving relationship between the chief information officer (CIO) and the chief information security officer (CISO).
Not long ago, CISOs reported to CIOs. Conflicts could arise because they had different priorities. CISOs could be primarily concerned with risk mitigation, while CIOs were willing to accept as much risk as necessary to meet budget goals. And there was a clear chain of command.
Today, however, CIOs and CISOs are on equal footing because they are much more dependent on each other. All new services must be implemented at acceptable risk levels and must comply with policies. There is a close collaboration there. In fact, CISOs not only have more responsibility, but they also have more responsibility, to the point where they could face criminal charges if things go wrong.
There are other ways that IT and security can be more integral to operations, such as in crisis management. Many companies have business continuity and disaster recovery plans, but lack a crisis management plan. Security may not own this area of focus, but it is a key player.
Events ranging from social unrest to cybersecurity attacks can impact operations and even put brands at risk. Responding to these events requires large-scale coordination involving multiple business units within an organization. IT can play a critical role in coordinating these efforts and refining them during testing.
Talk about business
What can IT and security organizations do to raise their profile in the business? First, it’s important to remember that security is a foreign language to many people in the corporate sector. When trying to gain support for a risk mitigation strategy, for example, you should present your case in the language of your audience, focusing on their priorities, rather than besieging them with technical security terminology.
Also keep in mind that audiences vary and the language you use should adapt accordingly. For example, customers may be focused on maintaining compliance and reducing risk, so a conversation with them may focus on how a new risk mitigation feature helps them. An executive team tends to be operationally focused on the business case and ROI of a project, so we talk about the value of risk mitigation, financial impact and return on a project.
At board level, members have a fiduciary responsibility and are likely to focus more on providing the right governance and oversight than on a specific business case. When you talk about a risk mitigation strategy with your board of directors, you can focus on benchmarking and the right security strategy for your industry.
You don’t talk to the board about operational metrics, for example, or to customers about cybersecurity risk benchmarks. You need to connect the dots so that each group understands. “Reading the room” comes in handy.
Speaking of boards of directors, it is helpful for an organization to have board members with cybersecurity experience, if not a dedicated cybersecurity expert, then at least one person with sufficient knowledge of cybersecurity and risks to provide some supervision. Knowledge of cybersecurity should be part of a board’s skill balance.
The emergence of artificial intelligence
While AI in cybersecurity is still in its nascent stage, companies are starting to identify ways to leverage AI to go beyond the expected benefits of improving threat detection and incident response times. AI-powered security stacks help security teams generate new revenue streams by strengthening customer trust, improving business continuity, and providing competitive differentiation. As the power of AI increases exponentially, security teams will continue to identify strategic use cases to drive revenue and add value to their business.
We are long past the point where security can be treated as a separate entity within companies; it is too closely intertwined with every aspect of business operations. As with any paradigm shift, adapting to this new reality requires organizations to adapt, not only in terms of technology adoption but also on a cultural level. To thrive in these new market conditions, companies must understand that the business of security is also business itself and act accordingly.