Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

4/10/2017
10:30 AM
Roland Cloutier
Roland Cloutier
Commentary
100%
0%

Setting Up Security as a Business: 3 Best Practices for Security Execs

Security leaders need to show they provide more than stop-the-bad guys services. Here's how.

At the beginning of March 2017, a third-party platform launched that promises to be a bidirectional clearinghouse to improve the security industry's approach to third-party risk management. Called CyberGRX, the company says it will dramatically alleviate what is now a manual, spreadsheet-driven process of vendors being inefficiently assessed by customers. It will allow security teams for both companies and customers to focus on protecting their respective businesses.

The existence of CyberGRX and other new services signals a movement in the security community. It's a clear confirmation that security is now a fundamental business issue and a potential growth advantage — and that security executives must take the lead in convening the business and having discussions about how security becomes a strategic lever.

[Check out Roland Cloutier's session, Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage, at Interop ITX on May 17.]

And more often, security execs have the floor. The massive amount of cyberattacks, exploits, and cybercrime have made it clear that every company will be affected by a security issue. Security officers no longer have to waste time legitimizing security as a business risk; they should be the lead executives who provide the insightful information and details on business impact that business leaders need to make sound decisions.

This is the moment that security professionals must change the view of security from a defensive "stop the bad guys" function to a strategic lever that is critical to sustain and drive the business. This "Business Operations Protection" mentality has been simmering for a long time within the security community, and there are three things its leaders must do make sure this mindset is accepted by the C-suite and board of directors. 

1. Know the state of security.
Security leaders are being heard, but how did we get here? In other words, what resonated with your C-suite and board in the first place to give you a seat at the table? There are three main trends:

  • More volume and velocity of cyber incidents. In 2016, more than 4.2 billion records were breached in 4,149 separate incidents globally. What are the trends in your industry and against your business, and how are you proactively defending your organization from these threats?
  • More dramatic and objective business impact. In recent years, security attacks have been measured against things that align with business impact: consumer confidence, business reputation, and rising costs are a few popular metrics. For example, in 2015, British insurance company Lloyd's of London estimated that cyberattacks cost businesses as much as $400 billion a year, including direct costs plus residual post-attack business effects. In what way can probable events affect your business, your clients, or your go-to-market objectives?
  • Greater accountability to be secure and report as such. Other companies in your ecosystem — such as suppliers, distributors, customers, competitors, government agencies and so on — are also more aware of the risks of cyber incidents than they used to be, so we're seeing more reporting and compliance-like regulatory measures appear. Not complying comes with its own potential costs and penalties. Examples include General Data Protection Regulation in Europe, or New York State Department of Financial Services regulations, and all include implications for the theft of personally identifiable information, payment data, and personal health information, as well as the costs of credit monitoring and notifying customers.

2. Language to talk to business leadership.
Security leaders are great at understanding the business at a technical level, as well as bad guys and residual risk measurements. On the other hand, they're often not as well-versed in how to talk about the security function's goals in a way that resonates with business. By merging performance indicators with the impact that security has on them, defining clear alignment to the company's strategic imperatives, and creating a road map for security, risk, and privacy efforts that accelerate the success of company goals, business leadership will be able to listen, understand, and support the security team's mission.

To accomplish this, you should be armed to discuss:  

  • Strong metrics around how breaches affect the business. For example, figures around cost per incident and the impact on your company's profitability, or the number of incidents caused by employees, technology, or external influences, and the resulting hours of downtime to enterprise systems.
  • The less-quantifiable effects resulting from security attacks. For example, the reputational impact on your company, client wins, and losses, due to security features, or client satisfaction and promoter scores after an incident. 
  • How security services, projects, and programs provide foundational capabilities that are necessary to deliver or accelerate strategic corporate imperatives.

3. Become an expert in the business.
In talking security, what can get lost is what it's all for. In other words, security leaders must know end-to-end how their business designs, builds, delivers, and supports the products or services it takes to market.

Some of the key questions to ask:

  • How do we make money? What is our profitability model? Is it on repetitive business? Is it on net new clients? 
  • What does the network of organizations impacting my business look like? Who does business on my behalf? What type of information and technology are exchanged? What supplies my organization so that it can deliver services?
  • What is my intellectual property and why does it matter to my business?

To drive security as a business, at ADP we have a process called value chain risk assessment. We look at our business model and map out the value chain. Because we have multiple businesses within the larger ADP, we have a team called business security officers, whose mission is to understand how our business is designed and delivered so that we're constructing our security services in a way that serves and supports what we do.

It's almost too obvious to say, but security is a fundamental driver of business and competition. The businesses that win will be those with security leaders who know how to leverage it. 

Related Content:

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world's largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs. Roland has functional and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
4/11/2017 | 1:44:52 AM
Technology
It is so nice
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.