There seems to be wide-spread recognition that a communication problem exists between enterprise security teams and the boardroom. I hear it all the time: from customers, from CISOs and from analysts.
The reasons for this miscommunication vary, but conventional wisdom suggests it’s caused by the two different languages spoken by technical practitioners and the executives sitting in the boardroom. There is indeed a fundamental disconnect between these two groups and it often leads to a debilitating failure to understand risk, which can result in a corresponding (and dangerous) lack of funding for security programs.
But focusing efforts on a solution to the language barrier is like putting road wheels on a tractor — things may be slightly better where the rubber meets the road, but the ride will continue to be slow and bumpy.
Rapid technological advancement within our businesses and the infrastructures we use to deliver them have forced IT organisations to evolve. The independence of an enterprise’s IT strategy from the company’s business objectives is no longer an effective strategy.
Today, IT organisations are focused on finding solutions to complex problems, with the aim of enabling people to achieve business objectives. In forward-thinking organizations, this fusion of information technology and business has resulted in a comprehensive “digital enterprise,” which is a new, more agile and more business-focused organization than its predecessor.
As IT organisations have evolved, security organisations too have the same obligation and a similar set of challenges. Yesterday’s Information Security programs focused on using technology to secure the perimeter and prevent attacks. But tomorrow’s “Digital Security” programs must focus primarily on enabling the business, and must also be able to minimize impact to the business when attacks happen.
This transition from technical IT guardrails to business enablement and agile response requires a deep understanding of the business itself and its underlying business objectives. Such a strategy demands a new approach to security programs, a new type of security team and a new breed of security leader.
IT leaders have traditionally been technical, organised and focused individuals comfortable working in small teams. The new breed of security leader must encompass some of those traits, certainly the “technical” and “organised” aspects. But these leaders must also be strategic, inspirational, decisive and agile people-leaders capable of steering large organisations towards business goals
The challenges don’t end there. As we’ve seen throughout history, rapid and disruptive technological advancement make our businesses more effective and our everyday lives easier and more convenient, but can also arm our adversaries with new tools and capabilities to do us harm. Reward is always accompanied by risk.
We may have become faster and more capable, but so have cyber criminals. The rise in sophistication and prevalence of advanced and persistent attackers has changed the threat landscape and forced security leaders to take a fresh look at the strategy and the capabilities needed to deal with today’s threats.
Security teams and security leaders are still coming to terms with these new realities and the rise in cyber-crime. The high-profile victims we’ve seen over the last four to five years are indicative of the fact that even large enterprises are finding it difficult to keep their systems secure. It’s understandable.
Historically, the security organization was born out of the IT department, where leaders were often selected by default, as the most security-aware IT technician on the team. Although some can make the transition from IT expert to security leader, the roles are highly contrasting and many appear to be struggling.
If we consider “digital” to be the coming together of IT and business, it follows that security in the digital world needs to incorporate a business-focused approach. Today’s security leaders need to learn to operate and communicate in business terms.
Boardrooms aren’t interested in “compensating controls,” IDS/IPS, or any other “flux capacitor” the security teams want to buy. They care about business risk, business outcomes, and the business plan to deliver them.
If security teams are going to effectively communicate cyber risk to the boardroom, they must speak the language spoken in the boardroom, they must abandon their technical backgrounds and identify the business solutions the security team needs to protect the business. Even more than that, with so many changes to the role of security organisations, success will require transformation, which demands more than technical expertise and business acumen. It requires leadership.
It remains to be seen how many of today’s traditional, technical security leaders can make the leap from technical expert to transformational business leader. I suspect successful security organisations of the future will continue to be staffed with technical analysts and practitioners, as they will always be vital, but they may be led by leaders with a background rooted in leading people and delivering business outcomes.
If I’m right, the language barrier between these two groups will take care of itself.
Find out more about the new breed of security leader at Rackspace, as well as our full suite of managed security services and the ways they can help protect your business against new and evolving threats.