Careers & People
4/10/2017
10:30 AM
Roland Cloutier
Roland Cloutier
Commentary
100%
0%

Setting Up Security as a Business: 3 Best Practices for Security Execs

Security leaders need to show they provide more than stop-the-bad guys services. Here's how.

At the beginning of March 2017, a third-party platform launched that promises to be a bidirectional clearinghouse to improve the security industry's approach to third-party risk management. Called CyberGRX, the company says it will dramatically alleviate what is now a manual, spreadsheet-driven process of vendors being inefficiently assessed by customers. It will allow security teams for both companies and customers to focus on protecting their respective businesses.

The existence of CyberGRX and other new services signals a movement in the security community. It's a clear confirmation that security is now a fundamental business issue and a potential growth advantage — and that security executives must take the lead in convening the business and having discussions about how security becomes a strategic lever.

[Check out Roland Cloutier's session, Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage, at Interop ITX on May 17.]

And more often, security execs have the floor. The massive amount of cyberattacks, exploits, and cybercrime have made it clear that every company will be affected by a security issue. Security officers no longer have to waste time legitimizing security as a business risk; they should be the lead executives who provide the insightful information and details on business impact that business leaders need to make sound decisions.

This is the moment that security professionals must change the view of security from a defensive "stop the bad guys" function to a strategic lever that is critical to sustain and drive the business. This "Business Operations Protection" mentality has been simmering for a long time within the security community, and there are three things its leaders must do make sure this mindset is accepted by the C-suite and board of directors. 

1. Know the state of security.
Security leaders are being heard, but how did we get here? In other words, what resonated with your C-suite and board in the first place to give you a seat at the table? There are three main trends:

  • More volume and velocity of cyber incidents. In 2016, more than 4.2 billion records were breached in 4,149 separate incidents globally. What are the trends in your industry and against your business, and how are you proactively defending your organization from these threats?
  • More dramatic and objective business impact. In recent years, security attacks have been measured against things that align with business impact: consumer confidence, business reputation, and rising costs are a few popular metrics. For example, in 2015, British insurance company Lloyd's of London estimated that cyberattacks cost businesses as much as $400 billion a year, including direct costs plus residual post-attack business effects. In what way can probable events affect your business, your clients, or your go-to-market objectives?
  • Greater accountability to be secure and report as such. Other companies in your ecosystem — such as suppliers, distributors, customers, competitors, government agencies and so on — are also more aware of the risks of cyber incidents than they used to be, so we're seeing more reporting and compliance-like regulatory measures appear. Not complying comes with its own potential costs and penalties. Examples include General Data Protection Regulation in Europe, or New York State Department of Financial Services regulations, and all include implications for the theft of personally identifiable information, payment data, and personal health information, as well as the costs of credit monitoring and notifying customers.

2. Language to talk to business leadership.
Security leaders are great at understanding the business at a technical level, as well as bad guys and residual risk measurements. On the other hand, they're often not as well-versed in how to talk about the security function's goals in a way that resonates with business. By merging performance indicators with the impact that security has on them, defining clear alignment to the company's strategic imperatives, and creating a road map for security, risk, and privacy efforts that accelerate the success of company goals, business leadership will be able to listen, understand, and support the security team's mission.

To accomplish this, you should be armed to discuss:  

  • Strong metrics around how breaches affect the business. For example, figures around cost per incident and the impact on your company's profitability, or the number of incidents caused by employees, technology, or external influences, and the resulting hours of downtime to enterprise systems.
  • The less-quantifiable effects resulting from security attacks. For example, the reputational impact on your company, client wins, and losses, due to security features, or client satisfaction and promoter scores after an incident. 
  • How security services, projects, and programs provide foundational capabilities that are necessary to deliver or accelerate strategic corporate imperatives.

3. Become an expert in the business.
In talking security, what can get lost is what it's all for. In other words, security leaders must know end-to-end how their business designs, builds, delivers, and supports the products or services it takes to market.

Some of the key questions to ask:

  • How do we make money? What is our profitability model? Is it on repetitive business? Is it on net new clients? 
  • What does the network of organizations impacting my business look like? Who does business on my behalf? What type of information and technology are exchanged? What supplies my organization so that it can deliver services?
  • What is my intellectual property and why does it matter to my business?

To drive security as a business, at ADP we have a process called value chain risk assessment. We look at our business model and map out the value chain. Because we have multiple businesses within the larger ADP, we have a team called business security officers, whose mission is to understand how our business is designed and delivered so that we're constructing our security services in a way that serves and supports what we do.

It's almost too obvious to say, but security is a fundamental driver of business and competition. The businesses that win will be those with security leaders who know how to leverage it. 

Related Content:

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world's largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs. Roland has functional and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
4/11/2017 | 1:44:52 AM
Technology
It is so nice
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.