Careers & People
10:30 AM
Roland Cloutier
Roland Cloutier

Setting Up Security as a Business: 3 Best Practices for Security Execs

Security leaders need to show they provide more than stop-the-bad guys services. Here's how.

At the beginning of March 2017, a third-party platform launched that promises to be a bidirectional clearinghouse to improve the security industry's approach to third-party risk management. Called CyberGRX, the company says it will dramatically alleviate what is now a manual, spreadsheet-driven process of vendors being inefficiently assessed by customers. It will allow security teams for both companies and customers to focus on protecting their respective businesses.

The existence of CyberGRX and other new services signals a movement in the security community. It's a clear confirmation that security is now a fundamental business issue and a potential growth advantage — and that security executives must take the lead in convening the business and having discussions about how security becomes a strategic lever.

[Check out Roland Cloutier's session, Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage, at Interop ITX on May 17.]

And more often, security execs have the floor. The massive amount of cyberattacks, exploits, and cybercrime have made it clear that every company will be affected by a security issue. Security officers no longer have to waste time legitimizing security as a business risk; they should be the lead executives who provide the insightful information and details on business impact that business leaders need to make sound decisions.

This is the moment that security professionals must change the view of security from a defensive "stop the bad guys" function to a strategic lever that is critical to sustain and drive the business. This "Business Operations Protection" mentality has been simmering for a long time within the security community, and there are three things its leaders must do make sure this mindset is accepted by the C-suite and board of directors. 

1. Know the state of security.
Security leaders are being heard, but how did we get here? In other words, what resonated with your C-suite and board in the first place to give you a seat at the table? There are three main trends:

  • More volume and velocity of cyber incidents. In 2016, more than 4.2 billion records were breached in 4,149 separate incidents globally. What are the trends in your industry and against your business, and how are you proactively defending your organization from these threats?
  • More dramatic and objective business impact. In recent years, security attacks have been measured against things that align with business impact: consumer confidence, business reputation, and rising costs are a few popular metrics. For example, in 2015, British insurance company Lloyd's of London estimated that cyberattacks cost businesses as much as $400 billion a year, including direct costs plus residual post-attack business effects. In what way can probable events affect your business, your clients, or your go-to-market objectives?
  • Greater accountability to be secure and report as such. Other companies in your ecosystem — such as suppliers, distributors, customers, competitors, government agencies and so on — are also more aware of the risks of cyber incidents than they used to be, so we're seeing more reporting and compliance-like regulatory measures appear. Not complying comes with its own potential costs and penalties. Examples include General Data Protection Regulation in Europe, or New York State Department of Financial Services regulations, and all include implications for the theft of personally identifiable information, payment data, and personal health information, as well as the costs of credit monitoring and notifying customers.

2. Language to talk to business leadership.
Security leaders are great at understanding the business at a technical level, as well as bad guys and residual risk measurements. On the other hand, they're often not as well-versed in how to talk about the security function's goals in a way that resonates with business. By merging performance indicators with the impact that security has on them, defining clear alignment to the company's strategic imperatives, and creating a road map for security, risk, and privacy efforts that accelerate the success of company goals, business leadership will be able to listen, understand, and support the security team's mission.

To accomplish this, you should be armed to discuss:  

  • Strong metrics around how breaches affect the business. For example, figures around cost per incident and the impact on your company's profitability, or the number of incidents caused by employees, technology, or external influences, and the resulting hours of downtime to enterprise systems.
  • The less-quantifiable effects resulting from security attacks. For example, the reputational impact on your company, client wins, and losses, due to security features, or client satisfaction and promoter scores after an incident. 
  • How security services, projects, and programs provide foundational capabilities that are necessary to deliver or accelerate strategic corporate imperatives.

3. Become an expert in the business.
In talking security, what can get lost is what it's all for. In other words, security leaders must know end-to-end how their business designs, builds, delivers, and supports the products or services it takes to market.

Some of the key questions to ask:

  • How do we make money? What is our profitability model? Is it on repetitive business? Is it on net new clients? 
  • What does the network of organizations impacting my business look like? Who does business on my behalf? What type of information and technology are exchanged? What supplies my organization so that it can deliver services?
  • What is my intellectual property and why does it matter to my business?

To drive security as a business, at ADP we have a process called value chain risk assessment. We look at our business model and map out the value chain. Because we have multiple businesses within the larger ADP, we have a team called business security officers, whose mission is to understand how our business is designed and delivered so that we're constructing our security services in a way that serves and supports what we do.

It's almost too obvious to say, but security is a fundamental driver of business and competition. The businesses that win will be those with security leaders who know how to leverage it. 

Related Content:

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world's largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs. Roland has functional and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/11/2017 | 1:44:52 AM
It is so nice
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.