March 23, 2016 By Bob Kalka 3 min read

Sent to Coventry.

A proper Englishman would take great joy in sharing the illustrious past of this allusive phrase, referring to those who are ignored or ostracized by a greater population.

Sent to… Security?

Until a few years ago, the relationship between IT security and the rest of an organization was relatively predictable. IT security had traditionally been seen as the domain of super-smart technologists who didn’t always mix well with others and who spent their time constantly pleading for funding to deploy the latest products for protecting the organization against threats that seldom seemed to materialize.

IT security also became known as the “Department of No” — the place where business and IT leaders would get stuck when trying to roll out their latest innovations to get a leg up on the competition through technology, based on overprotective concerns about mysterious threats that seemed to be unlikely to impact the organization.

Then compliance happened. As major regulatory mandates such as the Sarbanes–Oxley Act (Sarbox), the Health Insurance Portability and Accountability Act (HIPAA) and others started to emerge in the late 1990s and early 2000s, the IT security function became one of the linchpins for asserting proper governance and compliance.

Senior IT security leaders — whether a chief information security officer (CISO) or a manager of network security — naturally took advantage of this imperative to divert additional funding toward ensuring additional security technologies and processes were in place. But businesses often saw this as delaying their own customer-focused initiatives.

Bridging the Gap

Clearly, this was not a great organizational resume for fostering productive internal relationships across a business, especially one that was primarily focused on growing through innovation. And it showed.

IT operations became frustrated over supporting dozens and sometimes hundreds of security point products in production, many requiring extensive architectural support and changes to networks and endpoints.

C-level officers and business executives were faced with an unwelcome and constant barrage of requests to focus funding toward yet another security initiative based on a compliance mandate, and they were without understanding of the explicit business value of these investments. Boards of directors were forced to support these investments due to growing worries about the publicity and fines that could come from failing to meet regulations or being the victim of a data breach.

In other words, the IT security team was the function you were forced to work with. Then the real problems started.

Fighting Threats Becomes Paramount

The unmistakable explosion of successful online attacks across almost every industry in the past several years has driven most business executives to radically change their views and handling of the IT security function.

Now, IT security is expected to explain to the senior levels of an organization exactly how risks will be handled. The term “risk management” is profoundly changing the philosophies, strategies, approaches and plans of the IT security function, along with the behaviors of the entire organization around it.

Risk management is not compliance. It is a broader mandate that views success as business growth and continuity and not simply fulfilling a laundry list of activities to avoid regulatory fines.

Managing Security Risks

In the IBM-sponsored 2015 CISO study “Identifying How Firms Manage Cybersecurity Investment,” researchers from the Darwin Deason Institute for Cyber Security at Southern Methodist University report that “the most effective CISOs tended to avoid making [business] cases based primarily on compliance alone.”

The study quoted one CISO who said, “In everything that I communicate about why we’re investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around, ‘What’s the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine.'”

This more evolved focus on risk management is leading to a voracious appetite for boards to understand and define what a proper level of investment in IT security and risk management is. But with few — if any — pragmatic standards to draw on, the answer is probably “more than we have now.”

Read the full report: Identifying How Firms Manage Cybersecurity Investment

Getting the C-Suite Involved

C-level and business executives are forced to philosophically open the black box of IT security and understand how it impacts their functional responsibilities, not to mention their own interactions with the board. They are also increasingly responsible for handling risks related to compliance, data protection and other security-related issues.

Need proof? In the previously mentioned IBM-sponsored study, 85 percent of CISOs and related senior executives reported that the level of support for cybersecurity efforts has been increasing. In fact, “no one said that the amount of support they are receiving with respect to cybersecurity is decreasing.”

Significantly, all of this attention is inevitably leading to greater funding and influence, and hence power, for the senior IT security leader. This is often an executive-level CISO position.

That leads to the crisis emerging today: Both IT operations and IT security are facing the acute crisis of consumability.

This is Part 1 in a two-part series on security risks. Be sure to return for the conclusion next week.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today