When faced with an increased number of threats, the natural tendency is to want to lock everything down as much as possible. In reality, the role of the IT security officer is evolving into one that enables business processes to occur with the least amount of risk possible.
A recent report issued by the Security Business Innovation Council (SBIC) created by EMC advises IT security officers to pursue a more nuanced approach. While there may be more security threats than ever, business opportunities are often fleeting. In an age when business is increasingly digital, organizations need an agile IT infrastructure that allows them to rapidly respond to new business opportunities.
Sam Curry, chief technology officer for marketing at the RSA Security Division of EMC, says one of the biggest issues facing IT security officers today is that they don’t speak the language of business. Every business person understands the concept of risk. After all, that’s what business is all about. Curry says that IT security people tend to overly emphasize the risks without fully appreciating the potential business benefits of the opportunity at hand.
Curry concedes that while striking a balance between risk and opportunity is easy to understand in concept, actually being able to make that work is fiendishly difficult.
To strike that balance, the SBIC recommends:
- Shift Focus from Technical Assets to Critical Business Processes: Expand beyond a technical, myopic view of protecting information assets and get a broader picture of how the business uses information by working with business units to document critical business processes.
- Institute Business Estimates of Cybersecurity Risks: Describe cybersecurity risks in hard-hitting, quantified business terms and integrate these business impact estimates into the risk-advisory process.
- Establish Business-Centric Risk Assessments: Adopt automated tools for tracking information risks so that business units can take an active hand in identifying danger and mitigating risks and thus assume greater responsibility for security.
- Set a Course for Evidence-Based Controls Assurance: Develop and document capabilities to amass data that proves the efficacy of controls on a continuous basis.
- Develop Informed Data Collection Techniques: Set a course for data architecture that can enhance visibility and enrich analytics.
Curry says that instead of thinking of fighting the IT security with battleships blasting away at each other, the reality is that modern IT security more closely resembles submarine warfare. Most of your time is spent patrolling the depths of the Internet, trying to identify potential threats. Once they have been identified, the mission doesn’t necessarily become about eliminating that threat, but rather helping the business to navigate around it.