March 23, 2016 By Bob Kalka 3 min read

Sent to Coventry.

A proper Englishman would take great joy in sharing the illustrious past of this allusive phrase, referring to those who are ignored or ostracized by a greater population.

Sent to… Security?

Until a few years ago, the relationship between IT security and the rest of an organization was relatively predictable. IT security had traditionally been seen as the domain of super-smart technologists who didn’t always mix well with others and who spent their time constantly pleading for funding to deploy the latest products for protecting the organization against threats that seldom seemed to materialize.

IT security also became known as the “Department of No” — the place where business and IT leaders would get stuck when trying to roll out their latest innovations to get a leg up on the competition through technology, based on overprotective concerns about mysterious threats that seemed to be unlikely to impact the organization.

Then compliance happened. As major regulatory mandates such as the Sarbanes–Oxley Act (Sarbox), the Health Insurance Portability and Accountability Act (HIPAA) and others started to emerge in the late 1990s and early 2000s, the IT security function became one of the linchpins for asserting proper governance and compliance.

Senior IT security leaders — whether a chief information security officer (CISO) or a manager of network security — naturally took advantage of this imperative to divert additional funding toward ensuring additional security technologies and processes were in place. But businesses often saw this as delaying their own customer-focused initiatives.

Bridging the Gap

Clearly, this was not a great organizational resume for fostering productive internal relationships across a business, especially one that was primarily focused on growing through innovation. And it showed.

IT operations became frustrated over supporting dozens and sometimes hundreds of security point products in production, many requiring extensive architectural support and changes to networks and endpoints.

C-level officers and business executives were faced with an unwelcome and constant barrage of requests to focus funding toward yet another security initiative based on a compliance mandate, and they were without understanding of the explicit business value of these investments. Boards of directors were forced to support these investments due to growing worries about the publicity and fines that could come from failing to meet regulations or being the victim of a data breach.

In other words, the IT security team was the function you were forced to work with. Then the real problems started.

Fighting Threats Becomes Paramount

The unmistakable explosion of successful online attacks across almost every industry in the past several years has driven most business executives to radically change their views and handling of the IT security function.

Now, IT security is expected to explain to the senior levels of an organization exactly how risks will be handled. The term “risk management” is profoundly changing the philosophies, strategies, approaches and plans of the IT security function, along with the behaviors of the entire organization around it.

Risk management is not compliance. It is a broader mandate that views success as business growth and continuity and not simply fulfilling a laundry list of activities to avoid regulatory fines.

Managing Security Risks

In the IBM-sponsored 2015 CISO study “Identifying How Firms Manage Cybersecurity Investment,” researchers from the Darwin Deason Institute for Cyber Security at Southern Methodist University report that “the most effective CISOs tended to avoid making [business] cases based primarily on compliance alone.”

The study quoted one CISO who said, “In everything that I communicate about why we’re investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around, ‘What’s the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine.'”

This more evolved focus on risk management is leading to a voracious appetite for boards to understand and define what a proper level of investment in IT security and risk management is. But with few — if any — pragmatic standards to draw on, the answer is probably “more than we have now.”

Read the full report: Identifying How Firms Manage Cybersecurity Investment

Getting the C-Suite Involved

C-level and business executives are forced to philosophically open the black box of IT security and understand how it impacts their functional responsibilities, not to mention their own interactions with the board. They are also increasingly responsible for handling risks related to compliance, data protection and other security-related issues.

Need proof? In the previously mentioned IBM-sponsored study, 85 percent of CISOs and related senior executives reported that the level of support for cybersecurity efforts has been increasing. In fact, “no one said that the amount of support they are receiving with respect to cybersecurity is decreasing.”

Significantly, all of this attention is inevitably leading to greater funding and influence, and hence power, for the senior IT security leader. This is often an executive-level CISO position.

That leads to the crisis emerging today: Both IT operations and IT security are facing the acute crisis of consumability.

This is Part 1 in a two-part series on security risks. Be sure to return for the conclusion next week.

More from Risk Management

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today