Sapsiwai - Fotolia
Business-driven security is a path leading-edge organizations are taking to address potential vulnerabilities from the earliest stages of digital transformation projects and other complex initiatives.
However, the majority of the customers that consultants and other IT service providers encounter haven't fully adopted this philosophy, which calls for collaboration between a company's security team and its business leaders. Enterprises looking for quick time to market still often view security as an obstacle to avoid, rather than a partner that can enable innovation.
Yet, businesses taking a more integrated approach to security are outperforming their peers that don't, according to consulting firm PricewaterhouseCoopers' Digital Trust Insights survey. The survey, published in May, assessed the characteristics of "trailblazers," the top 25% of the respondents who reported better business outcomes, such as meeting or exceeding digital transformation expectations.
The trailblazer group was "more likely to embed their cybersecurity teams within the business to support strategic goals," according to PwC. Nearly two-thirds of trailblazers strongly agreed their cybersecurity teams are embedded in the business and support business imperatives, the survey noted. Fifteen percent of companies outside the trailblazer category could make the same claim.
"We are seeing the trailblazers look at cyber as a business enablement capability and a function of managing business risk," said TR Kane, cybersecurity principal at PwC and U.S. strategy, transformation and risk leader at the firm.
On the other hand, clients sometimes approach PwC with a transactional notion of cybersecurity, Kane noted. For example, customers will request a Payment Card Industry Data Security Standard compliance review for a new product that will handle credit card information. "We ask, 'Did you design this product with security integrated at the right product development lifecycle steps?'" Kane said.
When the answer is no, PwC aims to help clients catch up with the trailblazers.
"Those are the folks we are trying to help the close the gap," Kane said.
Instilling business-driven security
The goal is to instill security as a strategic business activity, as opposed to an onerous tactical chore. Security and business teams must reconsider their thinking to achieve that end and foster greater cooperation.
"Security teams need to change their approach if we want [business executives] to stop circumventing them," said Ron Temske, vice president of security and network at Logicalis Group, a managed IT services provider with U.S. headquarters in New York.
For example, security teams should report security metrics in a way that is meaningful to the business, he noted. A graph depicting the number of vulnerabilities detected in a given time period lacks the business context a board of directors needs. Instead, the security group must translate security metrics into business value, Temske said.
The group, for instance, could specify its investment in a particular control and then quantify the resulting reduction in risk liability. Logicalis, as part of its managed security services, helps organizations have more "board-relevant conversations" and present more compelling metrics, he said.
The business leadership, on the other hand, must adopt a new perspective on security. Corporate boards need to recognize the importance of cybersecurity, given their responsibility for the financial health of their organizations, he said.
"So, it really has to come from both sides," Temske said of cultural change.
TR KaneCybersecurity principal, PwC
Enterprises pursing business-driven security are creating structures to institutionalize the approach. Kane said many trailblazing organizations have created formal governance committees to guide their digital transformation projects. Those committees include the organization's cybersecurity team, compliance team, risk team and business operations leaders, he said.
Other relevant functional groups may also participate. For example, a digital transformation project focused on cloud-based human capital management software would include an HR representative.
The governance committees tend to meet every two weeks or monthly, Kane added, noting the frequency underscores the importance of those groups.
Enterprises that embed cybersecurity early in the project lifecycle are seeing cost and efficiency improvements.
"They are actually getting cost savings by doing it the right way, with security integrated upfront versus hitting the breaks midstream or after the fact," Kane said. "They are not having to deal with rework, redesign or having to scrap a project altogether."
While security has been viewed as a barrier to progress, "we are now seeing it actually creating some efficiencies," Kane added.
Temske also noted security's potential to boost efficiency.
"The biggest difference we see is ... reducing the amount of effort spent post-deployment retroactively fixing security bugs," he said.
Temske suggested security frameworks, such as the ISO 27000 series, can help organizations work toward closing the security-business gap and obtaining the resulting benefits. When a board decides to adopt such a framework, organizations avoid much of the debate around cybersecurity actions.
"I have seen [frameworks] to be a very effective tool to bring those two sides together," Temske said.
Communication is key
Communication between the security and business sides of the house is important, but so too is a broader discussion that extends throughout an enterprise. Getting everyone involved in security improves the odds of deflecting cyberattacks.
"People continue to be the weakest link," said Mike Sprunger, senior manager of cloud and network security at Insight, an IT solution provider in Tempe, Ariz. "The technology is getting better with AI, ... but people continue to be the avenue [attackers use] to get into an environment and get into the data."
Against that backdrop, corporate leadership must set a tone that supports an open dialog on security. Talking to employees about how to identify suspicious email and encouraging them to report anomalous activity would go a long way toward combating such threats as credential harvesting, Sprunger said.
"People have to understand their responsibility to say something if they see something," he said.
And when discussing security, associating specific security measures with business results is as critical for users as it is for board members. Instead of telling employees to use longer passwords because they're harder to crack, tell them how the business could be affected if passwords are compromised, Temske recommended. Linking a security policy with something that's meaningful to the business encourages greater compliance.
"Communication is the key part," Temske said of security.