Recognizing Security as a Strategic Component of Business

COMMENTARY

Amid an onslaught of ransomware, supply chain, and other cyberattacks against business and industry, corporate boards and other business leaders are keenly aware of the importance of cybersecurity. But only to a point. Many organizations still often view security as its own domain and see security teams as separate entities operating outside the flow of business.

Those organizations are missing the bigger picture. Security should be a strategic component of the business, as opposed to a cost center, because of the value it brings to the business. Security teams not only protect the business, its customers, and its shareholders — without which the business couldn't operate — but they also can provide services that are truly enabling.

A new security service that enables customer self-service, for example, doesn't directly generate revenue, because there's no charge to the customer. But it does improve the customer experience, adding value for customers and enabling sales. Security needs to come out from behind the curtain and create sales opportunities, providing competitive differentiation for the company.

Security's Growing Importance

IT and security teams have become enmeshed with business operations; it's very rare that any initiative these days can be launched without the IT team on board. The growing prominence of cybersecurity can also be seen in the evolving relationship between the chief information officer (CIO) and the chief information security officer (CISO).

Not long ago, CISOs reported to CIOs. Conflicts could crop up because they had different priorities. CISOs could be concerned mostly with risk mitigation, while CIOs were willing to accept as much risk as required to meet budget targets. And there was a clear chain of command.

Today, however, CIOs and CISOs are on more equal footing because they are much more dependent on each other. Any new services must be built at acceptable risk levels, and they must be compliant with policy. There is a tight partnership there. CISOs, in fact, not only have more responsibility, they have more accountability, to the point where they could face criminal charges if things go askew.

There are other ways that IT and security can be more integral to operations, such as in crisis management. A lot of companies have business continuity and disaster recovery plans, but they lack a crisis management plan. Security may not own this area of focus, but it is a key stakeholder.

Events ranging from social unrest to a cybersecurity attack can impact operations and even put the brand at risk. Responding to these events requires large-scale coordination involving different business units throughout an organization. IT can play a critical role in coordinating these efforts and refining them as they go through testing.

Talk the Talk of Business

What can IT and security organizations do to raise their profile in the business? For one thing, it's important to remember that security has a vernacular that's foreign to many people on the business side. When trying to gain support for a risk mitigation strategy, for example, you should present your case in the language of your audience, focusing on their priorities, rather than besieging them with security-related technical terminology.

Keep in mind also that audiences vary, and the language you use should adapt accordingly. For example, customers may be focused on remaining compliant and reducing risk, so a conversation with them can focus on how a new risk mitigation feature helps them. An executive team tends to be operationally focused on a project's business case and ROI, so you talk about the value of risk mitigation and the financial impact and return on a project.

At the board level, members have a fiduciary responsibility and are likely focused more on providing the right governance and oversight than on a specific business case. When talking about a risk mitigation strategy with the board, you can focus on benchmarking and the right security posture for your industry.

You don't talk to the board about operational metrics, for instance, or to customers about cybersecurity risk benchmarks. You need to connect the dots in a way that each group understands. "Reading the room" comes in handy.

Speaking of boards, it's helpful for an organization to have board members with cybersecurity experience — if not a dedicated cybersecurity expert, at least one person with enough knowledge of cybersecurity and risk to provide some oversight. Cybersecurity knowledge should be part of the balance of a board's expertise.

The Emergence of AI

While artificial intelligence in cybersecurity is still in its nascent stages, companies are starting to identify ways to leverage AI to go beyond the expected benefits of enhanced threat detection and incident response times. AI-powered security stacks are helping security teams generate new revenue streams by bolstering customer trust, enhancing business continuity, and providing competitive differentiation. As the power of AI increases exponentially, security teams will continue to identify strategic use cases to drive revenue and add value to their business. 

We are long past the point where security can be treated as a separate entity within businesses; it is too tightly intertwined with every aspect of enterprise operations. As with any paradigm shift, adapting to this new reality requires organizations to adapt, not just in terms of technology adoption but culturally as well. In order to thrive in these new market conditions, companies must come to the understanding that the business of security is also business itself — and act accordingly.