In past years typically discussions about security have dealt with asset protection—the protection of people, proprietary information, critical business processes, integrity of data, and so on.
More recently, the subject of risk has entered the picture, and in the past couple of years leading discussions have centered around the adoption of aunified risk perspective for physical, IT and corporate security.
Understanding Security Risk
Understanding risk means understanding the business, and this is where leading security practioners have lately been making significant strides:aligning security with the business.
Recent research by the Security Executive Council presents an interesting picture of the security profession today, and the security programs that security practitioners have developed.
The research shows that about 75% of CSOs are working on or have core security programs in place (traditional security measures, such as policies/procedures, investigations, risk assessment process, workplace violence prevention, awareness programs, reporting policies, access control and so on), about 15% are working on or have sector-specific security programs (tailored for the specific risk or incidents of the industry such as retail, manufacturing, electrical energy, hospitality, oil & gas, etc.), about 8% are working on or have reached the level of security alignment with business goals (where they are at the leadership table discussing the security implications of new business strategies and are becoming influential in the business), and 2% have all of the previous elements of their program in place and are future-focused (they are well-aligned with the business and involved in its evolution and planning for the emerging risks on the horizon and not yet here).
The last three categories are all stages or degrees of business alignment.
The Security Executive Council is the organization working on leadership solutions to get more security leaders to the business alignment stage and helping executive management understand the value of having their security leaders at the business table.
I think the best way to get across the idea of how addressing security risk is dependent upon business alignment, is to use an analogy about security introduced by Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC. Coviello said, “Security is akin to the brakes on a car.” (Since my early background is in automotive engineering—this is an analogy dear to my heart.)
The Real Reason for Brakes on Cars
Here is the way I like say it:
Question: Why do we put brakes on cars?
Usual Answer: So we can stop.
Real Reason: So we can go fast.
When we step back and get a big-picture look, it becomes obvious that the quicker and more safely we can stop the car, the faster we can safely go. It’s not intuitive to conclude that brakes make cars go faster. But that is the ultimate benefit of having brakes. It’s not the engineering reason—its the CEO and Board level reason.
When we get caught up in the “engineering” of our security programs, its easy to lose the higher perspective. Security allows the business to go faster, to go places it couldn’t otherwise go, and to operate in conditions or environments that otherwise would not be viable.
That’s what today’s computerized brakes do for cars. They allows cars to be operated more safely under conditions of ice, water and road hazards that were previously too dangerous for comfort. They don’t eliminate the risks; they reduce them enough that we’re willing and eager to drive to our destinations.
By reducing the risk, they expand the viable scope of operations.
The Real Reason for Security
Today’s brakes are “well-aligned” with the business of driving, and its goal of reaching destinations quickly and safely. We need our security programs to be similarly well aligned with the business of our companies.
Allowing our companies to thrive under the full spectrum of their business conditions—in both physical commerce and electronic commerce—is the real reason for security.
Best regards,
Ray Bernard
The Real Reason for Security
In past years typically discussions about security have dealt with asset protection—the protection of people, proprietary information, critical business processes, integrity of data, and so on.
More recently, the subject of risk has entered the picture, and in the past couple of years leading discussions have centered around the adoption of aunified risk perspective for physical, IT and corporate security.
Understanding Security Risk
Understanding risk means understanding the business, and this is where leading security practioners have lately been making significant strides:aligning security with the business.
Recent research by the Security Executive Council presents an interesting picture of the security profession today, and the security programs that security practitioners have developed.
The research shows that about 75% of CSOs are working on or have core security programs in place (traditional security measures, such as policies/procedures, investigations, risk assessment process, workplace violence prevention, awareness programs, reporting policies, access control and so on), about 15% are working on or have sector-specific security programs (tailored for the specific risk or incidents of the industry such as retail, manufacturing, electrical energy, hospitality, oil & gas, etc.), about 8% are working on or have reached the level of security alignment with business goals (where they are at the leadership table discussing the security implications of new business strategies and are becoming influential in the business), and 2% have all of the previous elements of their program in place and are future-focused (they are well-aligned with the business and involved in its evolution and planning for the emerging risks on the horizon and not yet here).
The last three categories are all stages or degrees of business alignment.
The Security Executive Council is the organization working on leadership solutions to get more security leaders to the business alignment stage and helping executive management understand the value of having their security leaders at the business table.
I think the best way to get across the idea of how addressing security risk is dependent upon business alignment, is to use an analogy about security introduced by Art Coviello, Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC. Coviello said, “Security is akin to the brakes on a car.” (Since my early background is in automotive engineering—this is an analogy dear to my heart.)
The Real Reason for Brakes on Cars
Here is the way I like say it:
Question: Why do we put brakes on cars?
Usual Answer: So we can stop.
Real Reason: So we can go fast.
When we step back and get a big-picture look, it becomes obvious that the quicker and more safely we can stop the car, the faster we can safely go. It’s not intuitive to conclude that brakes make cars go faster. But that is the ultimate benefit of having brakes. It’s not the engineering reason—its the CEO and Board level reason.
When we get caught up in the “engineering” of our security programs, its easy to lose the higher perspective. Security allows the business to go faster, to go places it couldn’t otherwise go, and to operate in conditions or environments that otherwise would not be viable.
That’s what today’s computerized brakes do for cars. They allows cars to be operated more safely under conditions of ice, water and road hazards that were previously too dangerous for comfort. They don’t eliminate the risks; they reduce them enough that we’re willing and eager to drive to our destinations.
By reducing the risk, they expand the viable scope of operations.
The Real Reason for Security
Today’s brakes are “well-aligned” with the business of driving, and its goal of reaching destinations quickly and safely. We need our security programs to be similarly well aligned with the business of our companies.
Allowing our companies to thrive under the full spectrum of their business conditions—in both physical commerce and electronic commerce—is the real reason for security.
Best regards,
Ray Bernard