Whenever executives gather, words like "leadership" and "vision" get thrown around — a lot. Gartner Symposium/ITExpo is no exception, but at a Monday morning conference session in Orlando, Florida, a Gartner analyst added specifics to the high-level vision around security and risk management.
Tom Scholtz, distinguished vice president and analyst at Gartner, began by pointing out how security has become a board-level issue at successful companies. He then spent the next 40 minutes talking about how executives should be turning their vision into something more concrete and how to lead with that solid vision.
He began at the top and worked down through a process that, he said, makes sense in today's highly dynamic business environment.
Why Are We Here?
Scholtz began with a typical "mission" statement for IT security: "to establish and maintain the organization, its digital platforms, people, partners, services, and things as trusted participants in the digital economy." Turning this into strategy, he said, begins with understanding the effects of at least three critical drivers: business, technology, and environment.
The next step is to understand where security starts. At least two assessment will be necessary to get an accurate picture of the "now," he said. For some companies, external vulnerability and technology maturity assessments will do the job. Other companies, though, may need to add regulatory compliance, risk, or other assessments to build the proper foundation for a strategy.
Four additional steps will take a company to a strategy, according to Scholtz: Find the gaps between where you are and where you need to be; prioritize changes and actions based on the specific needs of the organization; gain approval from all stakeholders and the board; and execute on the plan.
Who's on First?
Those are standard parts of any strategy development, but Scholtz had some specific ideas to deal with the rapidly changing nature of an increasingly digital company.
One of the keys to building a solid leadership vision for security and risk management, Scholtz said, is establishing a solid governance plan. That is, figure out who is responsible for making decisions about data and who is accountable for those decisions. The answer, Scholtz said, should not be the CIO or the CISO. Rather, the business unit that has decided to collect and analyze a particular set of information should be the owner of the data, and it should also be accountable for its security, he said.
"Too many organizations say the CIO or CISO is accountable, but a key characterization of digitalization is that many changes are being driven by the business," Scholtz said. "We want the business to be innovative, but we also want the business to understand that if something goes wrong, they will be accountable."
Another key Scholtz stressed was basing decisions on the proper foundation. Too many businesses build implementation plans on processes, he said. A better answer it to base them on principles, and the reason has everything to do with flexibility.
One of the primary principles Scholtz recommended is a shift from protecting infrastructure to protecting business outcomes. A focus on business outcomes, he says, allows for consistency through times of shifting technology. Business outcomes also scale much more successfully than do technology protections, especially if an organization goes through times of rapid growth.
Another principle is that the security group should see themselves as enablers rather than protectors. If the business unit is going to be accountable for its data, then security's job is to enable the unit to make decisions that keep it secure. In most organizations, that enabling will also involve implementing pieces of security infrastructure, but the key to this principle is the accountability and cooperation of the business unit in security operations.
Enabling is important in a third principle, too: Security should become people-centric. Scholtz mentioned the traditional view of a "dumb" user as the weakest link in a security system and a factor to be minimized as much as possible.
"Increasingly, the 'dumb users' aren't so dumb — they're the ones driving innovation. We can't just lock them down," Scholtz explained.
Instead, he suggested, the current generation of technology-savvy users should be given (and be assumed to have) a certain level of knowledge about their systems and security.
"We must give them the knowledge that corresponds to the level of knowledge required to safely operate an automobile," Scholtz said, referring to the combination of "book learning" and practical experience that has to be demonstrated before someone is given a driver's license.
All of the plans and strategies that make up security leadership should be revised every year, rather than the three- to five-year cycle long considered sufficient, he added. And they should be reviewed quarterly to make sure business conditions haven't left them behind.
The keys to successful security leadership, Scholtz said, is remaining flexible, understanding the importance of context for decisions, and focusing on broad principles rather than prescriptive policies.