Sent to Coventry: How Security Risks Are Changing Organizational Norms

March 23, 2016
| |
3 min read

Sent to Coventry.

A proper Englishman would take great joy in sharing the illustrious past of this allusive phrase, referring to those who are ignored or ostracized by a greater population.

Sent to… Security?

Until a few years ago, the relationship between IT security and the rest of an organization was relatively predictable. IT security had traditionally been seen as the domain of super-smart technologists who didn’t always mix well with others and who spent their time constantly pleading for funding to deploy the latest products for protecting the organization against threats that seldom seemed to materialize.

IT security also became known as the “Department of No” — the place where business and IT leaders would get stuck when trying to roll out their latest innovations to get a leg up on the competition through technology, based on overprotective concerns about mysterious threats that seemed to be unlikely to impact the organization.

Then compliance happened. As major regulatory mandates such as the Sarbanes–Oxley Act (Sarbox), the Health Insurance Portability and Accountability Act (HIPAA) and others started to emerge in the late 1990s and early 2000s, the IT security function became one of the linchpins for asserting proper governance and compliance.

Senior IT security leaders — whether a chief information security officer (CISO) or a manager of network security — naturally took advantage of this imperative to divert additional funding toward ensuring additional security technologies and processes were in place. But businesses often saw this as delaying their own customer-focused initiatives.

Bridging the Gap

Clearly, this was not a great organizational resume for fostering productive internal relationships across a business, especially one that was primarily focused on growing through innovation. And it showed.

IT operations became frustrated over supporting dozens and sometimes hundreds of security point products in production, many requiring extensive architectural support and changes to networks and endpoints.

C-level officers and business executives were faced with an unwelcome and constant barrage of requests to focus funding toward yet another security initiative based on a compliance mandate, and they were without understanding of the explicit business value of these investments. Boards of directors were forced to support these investments due to growing worries about the publicity and fines that could come from failing to meet regulations or being the victim of a data breach.

In other words, the IT security team was the function you were forced to work with. Then the real problems started.

Fighting Threats Becomes Paramount

The unmistakable explosion of successful online attacks across almost every industry in the past several years has driven most business executives to radically change their views and handling of the IT security function.

Now, IT security is expected to explain to the senior levels of an organization exactly how risks will be handled. The term “risk management” is profoundly changing the philosophies, strategies, approaches and plans of the IT security function, along with the behaviors of the entire organization around it.

Risk management is not compliance. It is a broader mandate that views success as business growth and continuity and not simply fulfilling a laundry list of activities to avoid regulatory fines.

Managing Security Risks

In the IBM-sponsored 2015 CISO study “Identifying How Firms Manage Cybersecurity Investment,” researchers from the Darwin Deason Institute for Cyber Security at Southern Methodist University report that “the most effective CISOs tended to avoid making [business] cases based primarily on compliance alone.”

The study quoted one CISO who said, “In everything that I communicate about why we’re investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around, ‘What’s the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine.'”

This more evolved focus on risk management is leading to a voracious appetite for boards to understand and define what a proper level of investment in IT security and risk management is. But with few — if any — pragmatic standards to draw on, the answer is probably “more than we have now.”

Read the full report: Identifying How Firms Manage Cybersecurity Investment

Getting the C-Suite Involved

C-level and business executives are forced to philosophically open the black box of IT security and understand how it impacts their functional responsibilities, not to mention their own interactions with the board. They are also increasingly responsible for handling risks related to compliance, data protection and other security-related issues.

Need proof? In the previously mentioned IBM-sponsored study, 85 percent of CISOs and related senior executives reported that the level of support for cybersecurity efforts has been increasing. In fact, “no one said that the amount of support they are receiving with respect to cybersecurity is decreasing.”

Significantly, all of this attention is inevitably leading to greater funding and influence, and hence power, for the senior IT security leader. This is often an executive-level CISO position.

That leads to the crisis emerging today: Both IT operations and IT security are facing the acute crisis of consumability.

This is Part 1 in a two-part series on security risks. Be sure to return for the conclusion next week.

Bob Kalka
Vice President, IBM Security Business Unit

Bob Kalka, CRISC, is a Vice President in the IBM Security Business Unit. He has been involved in the information security industry for 20 of his 25 years wit...
read more