March 23, 2016 By Bob Kalka 3 min read

Sent to Coventry.

A proper Englishman would take great joy in sharing the illustrious past of this allusive phrase, referring to those who are ignored or ostracized by a greater population.

Sent to… Security?

Until a few years ago, the relationship between IT security and the rest of an organization was relatively predictable. IT security had traditionally been seen as the domain of super-smart technologists who didn’t always mix well with others and who spent their time constantly pleading for funding to deploy the latest products for protecting the organization against threats that seldom seemed to materialize.

IT security also became known as the “Department of No” — the place where business and IT leaders would get stuck when trying to roll out their latest innovations to get a leg up on the competition through technology, based on overprotective concerns about mysterious threats that seemed to be unlikely to impact the organization.

Then compliance happened. As major regulatory mandates such as the Sarbanes–Oxley Act (Sarbox), the Health Insurance Portability and Accountability Act (HIPAA) and others started to emerge in the late 1990s and early 2000s, the IT security function became one of the linchpins for asserting proper governance and compliance.

Senior IT security leaders — whether a chief information security officer (CISO) or a manager of network security — naturally took advantage of this imperative to divert additional funding toward ensuring additional security technologies and processes were in place. But businesses often saw this as delaying their own customer-focused initiatives.

Bridging the Gap

Clearly, this was not a great organizational resume for fostering productive internal relationships across a business, especially one that was primarily focused on growing through innovation. And it showed.

IT operations became frustrated over supporting dozens and sometimes hundreds of security point products in production, many requiring extensive architectural support and changes to networks and endpoints.

C-level officers and business executives were faced with an unwelcome and constant barrage of requests to focus funding toward yet another security initiative based on a compliance mandate, and they were without understanding of the explicit business value of these investments. Boards of directors were forced to support these investments due to growing worries about the publicity and fines that could come from failing to meet regulations or being the victim of a data breach.

In other words, the IT security team was the function you were forced to work with. Then the real problems started.

Fighting Threats Becomes Paramount

The unmistakable explosion of successful online attacks across almost every industry in the past several years has driven most business executives to radically change their views and handling of the IT security function.

Now, IT security is expected to explain to the senior levels of an organization exactly how risks will be handled. The term “risk management” is profoundly changing the philosophies, strategies, approaches and plans of the IT security function, along with the behaviors of the entire organization around it.

Risk management is not compliance. It is a broader mandate that views success as business growth and continuity and not simply fulfilling a laundry list of activities to avoid regulatory fines.

Managing Security Risks

In the IBM-sponsored 2015 CISO study “Identifying How Firms Manage Cybersecurity Investment,” researchers from the Darwin Deason Institute for Cyber Security at Southern Methodist University report that “the most effective CISOs tended to avoid making [business] cases based primarily on compliance alone.”

The study quoted one CISO who said, “In everything that I communicate about why we’re investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around, ‘What’s the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine.'”

This more evolved focus on risk management is leading to a voracious appetite for boards to understand and define what a proper level of investment in IT security and risk management is. But with few — if any — pragmatic standards to draw on, the answer is probably “more than we have now.”

Read the full report: Identifying How Firms Manage Cybersecurity Investment

Getting the C-Suite Involved

C-level and business executives are forced to philosophically open the black box of IT security and understand how it impacts their functional responsibilities, not to mention their own interactions with the board. They are also increasingly responsible for handling risks related to compliance, data protection and other security-related issues.

Need proof? In the previously mentioned IBM-sponsored study, 85 percent of CISOs and related senior executives reported that the level of support for cybersecurity efforts has been increasing. In fact, “no one said that the amount of support they are receiving with respect to cybersecurity is decreasing.”

Significantly, all of this attention is inevitably leading to greater funding and influence, and hence power, for the senior IT security leader. This is often an executive-level CISO position.

That leads to the crisis emerging today: Both IT operations and IT security are facing the acute crisis of consumability.

This is Part 1 in a two-part series on security risks. Be sure to return for the conclusion next week.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today