As a starting point, Glue Reply put forward the opinion that all security professionals need to move away from the concept of security as a “necessary cost” for the business, into a more sustainable “security as a business enabler”.
Often the business is blamed for having the view that security is just a necessary cost, but it is the CSOs, CROs and all executives in charge of security that are often to be blamed for this mindset. Business people within any organisation (especially the CFO, who often, ultimately, approves any spending in security) often take a simple view that if the business case/plan stacks up and the risk is acceptable, then they will invest. So why then are security and risk people often failing to obtain funding for new projects?
To tackle this problem, information security and operational/IT risk management must be organised as a “business within the business”. All security functions must manage their own profit and loss statement regarding activities and investments. To be clear, security benefits are hard to measure (the “no news is good news” rule applies here) and the statement must include cost saving initiatives, as well as any investments made.
If we stop there – as many organisations do – the P&L account would show that security and risk management functions are to be seen as a cost centre. Therefore, the statement must also include the value added to the business in terms of increased control over the organisation and operations.
This approach has one major benefit. It makes the risk and information security functions start thinking, measuring and communicating to their executive management in terms of “value” rather than “cost”, in terms of “operational benefit” rather than “regulatory constraint”, and ultimately “increasing business resilience” rather than “spending money on security”.
Building a credible business case for security is not something that can be done effectively within the scope of a narrowly focused project. It doesn’t just contain plus and minuses in financial values, but also plus and minuses in governance and organisational control. It takes a profound change in both the mindsets of those who write the business plan, and of those who evaluate it.
Sue Diver, head of security UK of the AXA Group, a keynote speaker at the debate, shared the experience of trying to drive this approach one step at the time, enabling the cultural change in the AXA organisation:
“In complex organisations such as AXA, there is little space for a top-down approach. The implementation of an effective enterprise security architecture requires a change of mindset both at the board level and at the operations level. We decided to go for a bottom-up approach, in order to make sure that we obtain the buy-in from all IT and risk management functions. Involving business functions in the right manner is crucial to success, and they must see that the culture change has been initiated among those that will have an active part in adopting the enterprise security architecture.”
Davide Sola, professor of strategy at the ESCP Business School, explained how any security transformation programme must take into consideration the “will to change” within the enterprise:
“Enabling a change in the way that security is managed within an organisation is not just a matter of internally publishing a set of well-written documents. The security strategy, including the ‘vision’ of the end state, must be well defined and appropriately communicated. Even this is not enough though, as most strategic project failures are due to poor execution. The right attitude and behaviours must be embedded in the standard operational model of the whole company."
Sola went on to explain the factors that need to be taken in consideration once the following preconditions are in place, in terms of business change from a wider perspective, encompassing security change:
- A shared understanding and awareness that changing the business is indispensable and actions need to be taken
- A holistic vision of what the outcome should look like at the end of the change programme: the “end state” in terms of concrete objectives as well as in terms of target mindset and behaviour
- A number of initiatives showing the way to achieve the end state
If the preconditions are in place, then there are some powerful tools that can be used in order to enable the change: as an example, nothing works better than a compelling story relevant to stakeholders. A story links the change and benefit to the individual and their connection to the situation.
Any security transformation programme includes some security awareness and training activities. Those must be seen as the opportunity to influence the key stakeholders and the natural leaders within the organisation. Leaders are key influencers and must be seen as ‘role models’ in order to trigger the change in attitude and behaviour within the organisation.
Many more tools can be used, but these two elements (a story and role models) are crucial to the success of any change programme, such as a security transformation.
The event was successful in providing practical tools to participants on how to tackle the complexity of the definition and implementation of an enterprise security architecture in any enterprise.
One of the key outcomes of the debate has been recognition from the participants that, currently, there are multiple views on methodologies, standards and frameworks. The organisation must understand the core underlying concepts and obtain support from professionals that are expert in them. This understanding is required in order to deliver state-of-the-art solutions and obtain better alignment between the business and the security strategy.
This article was written by Daniele Vitali, head of the Enterprise Security Practice at Glue Reply, an independent IT consultancy in the UK. Glue Reply works with heads of architecture, programme management, security, CIOs and CTOs in organisations from sectors including retail, telecoms, financial services, utilities, defence, media and entertainment.