My previous blog post, Self-Improvement Agenda for CISOs: Top of Mind for 2015, highlighted an important insight that was uncovered in a recent series of workshops with information security leaders. Security professionals are generally good at communicating the business value of things they do that are important but not necessarily strategic. For example, compliance and cost don’t always communicate their strategic components, such as risk and enablement.
To fully appreciate this insight, keep in mind that a given activity can be important to the business (e.g., every company needs to have a payroll system), but it may not be strategic (e.g., having a payroll system is not how a company differentiates itself from its competitors).
Here, we’ll focus on four high-level categories: risk, compliance, cost and enablement. Through many years of experience, it has been confirmed that the business value of information security is not always expressed in one or more of these four categories. This is actually the same framework put forward in a 2001 text on public key infrastructures. So, what are these four potential types of business value, and what is it about them that should be part of the self-improvement agenda for chief information security officers (CISOs) and their teams?
This one is easy. Everyone agrees the primary purpose of an organization’s information security function is to manage risk. Unfortunately, it’s quite common that many security professionals don’t have the correct understanding.
First, the objective is not to minimize the organization’s security risk or look to implement the best possible security — even if we can agree that no mix of policies and controls can be 100 percent effective. On the contrary, the goal is to manage security risks to an acceptable level (i.e., within the management’s appetite for risk). Faced with identical circumstances, some decision-makers will choose to accept the risk, while some will choose to ignore it — which has the same effect as acceptance. Others will try to transfer it to someone else. Still, there are those that will take steps to manage it at an acceptable level.
Second, security risk is not synonymous with threats, vulnerabilities or exploits, as much as we love talking about those things. The proper definition of risk is the likelihood that some threat will exploit a vulnerability, along with the magnitude of the business impact if the event actually occurs. If we aren’t communicating in terms of likelihood and impact, we aren’t really talking about risk — and it’s small wonder why we frequently struggle to convey the business value of information security.
Achieve and Sustain Compliance
This one is easy as well. Most everyone will agree, for example, that addressing regulatory requirements — both government- and industry-driven — for the security and privacy of sensitive information is something all affected organizations must do. Still, in the context of our discussion about the business value of information security, there are two important things to understand about compliance.
Broadly speaking, the “compliance” category includes not only regulatory requirements, but also requirements or expectations from customers and business partners. These include capabilities needed to keep pace with competitors, those that are integral to some internal strategy or decision (e.g., “all PCs will use self-encrypting drives by the end of 2015”) and so on. The point is that these drivers for investments in information security can come from many sources.
More importantly, most people have come to acknowledge that compliant does not mean secure, in the sense that an organization can easily experience a security breach between one demonstration of compliance and the next. According to Aberdeen Group research, organizations that adopt the strategy of “first security, then compliance” — as opposed to “first compliance, then security” — consistently achieve better results. In other words, compliance is something derived from the organization’s security policies and controls, not the other way around.
Reduce Cost to Provide Business Value
This is where things get trickier. Discussions about the business value of information security can take two directions — cost avoidance and cost savings.
Investments in security can help prevent the occurrence of an incident and reduce the total business effect of an incident that does occur. In fact, this is completely consistent with discussing security risks properly, in terms of likelihood (i.e., reducing the likelihood of an incident through prevention) and business impact (i.e., reducing the business impact through faster detection, response and recovery). Most of us have had the experience of a chief financial officer (CFO) trying to push these arguments aside as soft dollars. But although this can and does happen, it doesn’t make the CFO right. We need to frame discussions about security properly, in terms of risk — both likelihood and impact — and in terms of the decision we are trying to make. For example, how does an investment in user awareness and training actually change user behaviors and quantifiably reduce the organization’s risk?
We are always spending a certain amount of money to accomplish a given task, but we can support a higher scale at a lower cost by making some particular investment. Solutions that automate the management of tasks, such as endpoint security, configuration changes, encryption keys, Web server certificates, user identities and access privileges can all contribute to lower costs and better service — and legitimately save the organization money. Automation is the friend of information security as much as it is to any other business function.
Enable Business Objectives
Though this category seems to cause security leaders the most difficulty, in the CISO workshops, having an attitude of aligning security initiatives with helping the organization achieve its strategic objectives was at the top of their list as part of ongoing movement away from the “Department of No” reputation of years past. In reality, the concept of enablement brings us back full circle to the concept of risk, although in a slightly different sense.
There are two types of risk. In many ways, managing enterprise risk is like managing cholesterol. It comes in two types: good and bad. We need both of them to be healthy — too much of one type or not enough of the other can lead to a variety of problems. Some of it is inherent and external, while some of it is produced by our own choices and activities. These are sometimes referred to as unrewarded and rewarded risks, as illustrated by the following graphic:
Security plays a legitimate role in both rewarded and unrewarded risk. For many companies, investments aimed at unrewarded risks are consuming the lion’s share of their limited resources, keeping them painfully distracted from contributing more to the rewarded risks that really matter — those that create value for their customers and ultimately grow the business. This is really the same point made previously regarding the difference between important and strategic. In other words, although workshop participants identified risk and enablement as their biggest challenges, these are really two sides of the same coin. Both can be addressed by learning to communicate more effectively — and properly — about risk.