Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Experts: Security Professionals Should Focus on Protecting Business Processes, Not Just Assets

A new report from the Security for Business Innovation Council (SBIC) underscores what many mature enterprises know – that IT organizations need to collaborate with the business side of the house in the name of security.

A new report from the Security for Business Innovation Council (SBIC) underscores what many mature enterprises know – that IT organizations need to collaborate with the business side of the house in the name of security.

SBIC is composed of a group of top security leaders from Global 1000 enterprises. In its latest report, ‘Transforming Information Security: Future-Proofing Processes’, the council notes that while business groups within organizations are taking greater ownership of information risk management, outdated security processes still hamper efforts to combat new cyber-security risks.

“Understanding the business impact of security is a way of giving stakeholders a common language, and common goals,” said Sam Curry, chief strategy office and chief technologist for RSA, EMC’s security division. “By putting the impact of security in business terms it also builds “social networks” within the business and respect for the leadership in security. It also makes security more than a mere tax on the business.  These are essential activities if future spend associated with becoming more mature will ever be possible.”

The new report advises information security professionals take five steps towards improving security: shift the focus from protecting technical assets to critical business processes; institute business estimates of cyber-security risks; establish business-centric risk assessments; develop data collection techniques and document capabilities for collecting data that proves the effectiveness of security controls.

Advertisement. Scroll to continue reading.

Selecting key metrics is important, Curry said.

“This will be fundamentally a set of business metrics and indicators that will last a long time (through a number of growth phases) and that will encourage the right corrective actions and controls from all functions, not just security,” he continued. “From there, this becomes an operations mapping exercise.  You shouldn’t start with the controls, start instead with the business.”

“Ultimately this isn’t about the C-Suite taking a crash course in security, it’s about security understanding the business and getting out of its silo,” he added. “The rest of the company will respond well and in kind.”‘

While immature organizations may typically try to measure risk in terms of impact to systems and perhaps a small lack of employee productivity, a more detailed and accurate assessment would be to think of a wider picture – things like brand damage, the effect on service level agreements and customer and partner commitments, Curry said. It would also plan mitigations and contingencies.

“Risks must ultimately be understood regardless of their type, so they can be accepted or addressed,” he said. “It’s also important that there isn’t perceived to be a finite checklist of IT security risk: this isn’t about checklists or ‘if I just do X, all will be ok.’ This is about treating security as a source of risk and as a business process like any other within the company from legal and finance to support and operations.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...