Q. Security has made strides in the last ten years or so but I don’t think we are valued as much as we should be by the rest of the organization. What do you think we still need to do?
A. In many organizations, security remains an antagonist or an afterthought. This amounts to more than a PR problem. Part of the issue is that organizational leaders simply can’t or won’t see the value in robust risk management. The other part is that the security leader doesn’t see himself or herself as a business leader and, therefore, sees no need or desire to take the initiative to innovate the security program or learn the business better.
Our ongoing research and trending of security-related issues has shed light on some remarkable strides made by security practitioners in the last seven to ten years, such as connecting the dots between security and the risks to each function of the organization, seeing the bigger picture and where their function resides within it and more security leaders are moving forward to build credible measures and metrics programs for security. However, we have also found some areas where some security leaders have hit a wall.
• As an industry, research-based documentation that provides baselines and templates for successful security has not been established.
• Most practitioners do not utilize the process of aligning their services with business goals to its full potential. Recognizing that a business goal is to increase revenue, a security practitioner may simply make a strategic statement that security will work with the business to reach that goal. However, this statement has limited value unless it is backed up by specific, actionable plans for accomplishing it.
• Security practitioners often operate with an on-demand mindset, offering ad hoc services in reaction to events without enough strategic, long-term programs that are built upon a solid understanding of the business, its risks and opportunities.
• Although somewhat savvier with regard to security risks, senior management’s progress in its understanding of the security function’s role in business continues to be limited.
• Security practitioners often view their function as different from all the other business units and that exempts them from behaving as the other units do, e.g., measuring performance, quantifying value, delivering on strategy initiatives, for example. Increasingly, executive management disagrees.
• A surprising number of practitioners cannot articulate or do not know exactly what resources their function consumes or their capacity for delivering those services. You should be able to quantify how many FTEs are dedicated to a given project or service, know whether the business units that benefit from their services actually value them, and be prepared to list all the services security performs and for whom.
• In a similar vein, practitioners and corporations are generally unable to calculate the total cost of the security services being consumed by the organization.
• Many security leaders have reported that they continue to have little control over budget allocations and discretionary spending. There are many potential reasons for this, but one significant factor is security leadership’s inability to effectively influence executive management and to justify the spending they feel is necessary.
• Security services are frequently not communicated in terms of what risks they mitigate and this causes gaps in staff and leadership understanding and investing in those services.
• While metrics are an increasingly hot topic, many of the security practitioners continue to count things rather than to provide true, meaningful metrics. Metrics are intended to influence and to tell a story. It’s good to know how many laptops have been lost, but that number isn’t a useful metric. The metric provides context and points to solutions.
If you want to strengthen or maintain the quality of your program, you might ask yourself these questions. Do you consider yourself a leader? How much do you know about the inner workings of your business? When was the last time you created or monitored relevant metrics about your program’s operations and ROI? How often does your top management ask your opinion? Can you articulate your strategy? What do you need to do in the next 12 months?
To reiterate, we think security is evolving in many positive ways. We offer the list of items we've seen need more work as constructive criticism to advance your success.