Information security is viewed by most organizations as a risk mitigation activity. This view has been reinforced by the security professionals, governance processes, and security approaches used.
The information security profession grew out of the audit profession, compliance and regulatory groups, and public security agencies, which has reinforced the risk-centric view of security. However, today information security plays a very important role in enabling the business.
Security groups have not been highly effective at driving the necessary funding and security activities needed to adequately protect information resources. Most organizations are littered by security point solutions deployed as reactions to events as opposed to a proactive, effective security strategy. Edgile takes a new approach to security governance that moves an organization’s information security group from a risk-centric function to a business-aligned capability, helping to transform how security is viewed and funded within the enterprise. The risk-centric and business-aligned approaches are not mutually exclusive and both are important, but today security groups are primarily risk-centric in their approaches. An enhanced focus on a business-aligned approach will elevate security from a purely risk mitigation activity to a strategic business enabler for the enterprise.
The Information Landscape
The future information landscape is dotted with cloud computing infrastructure, virtual global workforces, information at your fingertips, and dynamic collaboration technologies. The need to compete and win in the market, reduce cost, and spur innovation is driving organizations down this envisioned road. This change has been taking place slowly over the past 10 years but the pace has increased as major software vendors, technology organizations and service providers jump into the market with solution offerings. With this changing landscape, security looms as either a major business enabler or an insurmountable roadblock. Security organizations will not stop this trend, and if they are viewed as a roadblock, they will be ignored except in the most risk-centric organizations. In this new world, a viable option exists for security organizations, one of strategic enabler. Security can be positioned to enable movement towards the new information landscape. Security organizations need to align with the business and senior management, drive the necessary funding to support these efforts, and implement effective solutions to manage risk as organizations make this transformation.
Risk-Based Security vs. Business-Aligned Security
Today, organizations typically use a risk-centric approach to drive security activities and investments. In theory, the risk approach starts with vulnerabilities, threats and related risks and then mitigating controls are evaluated and implemented to reduce risk exposure. The security organization’s goal under this approach is to manage an organization’s risk exposure to an acceptable level. A business-aligned security approach starts with the business, its strategy and its goals to ultimately build a security strategy that supports and enables the business while minimizing the additional exposure these business activities will create. The differences between these two approaches to security are significant.
The risk-based approach, which has driven information security for years, starts with understanding the risks facing the organization. In recent years, organizations have started to use one of several standard frameworks to identify mitigating controls then work to align these controls to risks instead of truly going through a risk-based evaluation approach. Control Objectives for Information and related Technology (COBIT) and ISO 27001 / 27002 are examples of two standard frameworks. Each risk factor is first valued in some manner and then existing mitigating controls are used to adjust the risk factor which provides the exposure for that area (Risk – Mitigating Controls = Exposure). Once all the exposures are identified, one can plan how to add mitigating controls to further manage the organization’s exposure.
This approach creates two major issues. First, many business managers perceive mitigating controls as roadblocks. Second, security organizations struggle to value the exposure in a meaningful way to business managers. As a result, a trend is emerging that establishes an organization’s security direction based on standard control frameworks, best practice and compliance requirements. The approach does produce results, but generally favors point solutions as opposed to broad strategies. This can be successful at layering security across the organization, but it has not been effective at driving significant funding, aligning security with the business or gaining support from senior executives. The risk-centric approach needs to be supplemented with a stronger business focus, which can be achieved with a business-aligned security approach.
Business-Aligned Security Approach
The business-aligned security approach starts with the business strategy and business goals. These are usually well-defined and communicated from the firm’s senior leadership and are interpreted and executed by the organization in a wide range of manners. An example would be a firm seeking to grow global market share by 10 percent while cutting costs by 10 percent. The organization’s execution strategy could include increasing the number of foreign sales offices, enhancing collaboration capabilities with a third-party sales force, or moving to Software as a Service (SaaS) to lower IT costs. The security organization first needs to clearly understand the approach and the tactics of how the organization plans to execute the strategy. Many of the tactics will be similar in nature. For example, a firm might have a number of groups looking to move to a SaaS model to support needed capabilities. The goal is to categorize the tactical execution around significant strategic capabilities.
To successfully execute the business strategy, information security plays a key role in ensuring that strategic capabilities are securely planned, developed, and implemented. Strategic capabilities can include an enhanced collaboration capability, a virtual global office capability, or a cloud computing capability. Many, if not most, of the strategic capabilities will depend heavily on a security foundation. Accordingly, an enhanced, secure collaboration capability is needed instead of solely an enhanced collaboration capability. These strategic capabilities become the drivers for a business-aligned security strategy. Components of the business-aligned security strategy can include an enhanced identity management environment to support SaaS service providers. Another example is the use of digital rights technology to support secure collaboration with third-parties. Each component of the business-aligned security strategy must be clearly tied back to the required strategic capabilities and ultimately to the business strategy.
The development of the business-aligned security strategy is driven by the business strategy and strategic business capabilities. The process of developing the strategy requires a significant amount of interaction with the business. Defining the strategic capabilities, clearly from a security perspective, is done in conjunction with the business and IT groups. This interaction is critical to the process and facilitates the alignment between the security groups and business.
The process of developing a business-aligned security strategy is a two to three month process for most organizations. The process requires business savvy security professionals primarily focused on making the business successful, in addition to managing risk.
Typically, the business-aligned security strategy produces improved results compared to a risk-centric only approach. Enhancing the current set of mitigating controls that a risk-centric approach focuses on is still an important function but is an operational activity. The business-aligned security approach is a strategic activity focused on enabling the business strategy and strategic capabilities in a secure manner. By placing a larger focus on the business, the organization’s exposure will be lowered while providing greater benefits to the business. For example, broader security questions are asked, such as “how can we securely enable cloud computing?” The results produce strategic solutions not considered when using the risk-centric approach. The strategic solutions solve broader problems and address future risk. However, the most valuable benefit is that business starts to clearly view security as a strategic enabler. The conversation between the business and security organization moves from a risk discussion to a strategic discussion and security is addressed earlier in the strategy and planning processes. This new level of partnership and alignment also simplifies the budget request process and gains support for increased spending on security activities. Moving to a business-aligned security approach can greatly benefit the business and its security organization.
A business-aligned security strategy and a risk-based strategy are not mutually exclusive. Organizations will need to continue to manage their overall risk profile, but this is an ongoing activity that is not designed to address the opportunities confronting business today. Security organizations must do a better job of communicating the value of security to the business and its impact on the bottom line. The business-aligned security approach is an effective methodology to develop alignment between the security organization and the business, communicate the value of security to executives and help justify expanding security funding.