In their joint presentation, ‘Turn security into a business advantage’ on Tuesday 12th October in London, Beer and Colley drew on the results of the PwC report, ‘Lost in Translation? Exploring the roots of miscommunication: strategies to ensure Information Security is on your Board’s agenda’.
Their agenda seemed relatively simple: to advise and educate the audience about how to work with the business and prove the businesses advantages that come with good information security practice.
“Making the business understand what you do, and making sure information security is valued by the business is important and all comes down to communication and making the business see that information security can give you a competitive advantage”, Colley mused. Beer added that the report does suggest that “whole businesses, not just infosec teams, are starting to see that information security does create business advantages”.
But how can CISOs prove their worth?
“For starters, don’t say no to the business”, advised (ISC)2'sColley. “Enable that particular technology securely rather than blocking it”.
The power struggle between the business, IT and security, has been apparent for some time, and will continue to be, the presenters admitted. “The business sees IT as important, but rarely understands information security or sees a business need for it. It’s irrelevant if this is not the case”, says Colley, “because that is just how they see it”.
“IT thinks that security makes their life difficult - that it wants extra budget and functionality and delays the implementation of IT projects”, Beer continued. “Finally, information security feels unappreciated and believe they perform the most important function”, he said.
Seven steps to engaging with the business
John Colley listed seven steps on how the information security team should engage with the business, which were as follows:
- Know what you want from the business
- Understand the business context
- Know who you need to deal with
- Build rapport with key individuals
- Build trust
- Use the power of human contact – “Emails, policies, and awareness programmes aren’t enough. You need to spend five to ten percent of your time talking to people”
- Improve your skills
Above all, learning to speak the same language as the business and making risks and threats relevant to the individual business is very important, both Colley and Beer agreed. “When putting forward a case for information security, start with the business case”, said Colley. “Make your proposal short, get to the point, and emphasise what good things will come out of it. Work out what will turn the business on and lead with that”, he advised.
It is important to consider what your customers want, said Beer, who suggested that they are increasingly demanding information security and compliance. “In discussions, look at the lifecycle costs of infosec. Focus on the saved costs, and avoided damage, rather than on the outgoing costs associated with information security. Talk about the ICO costs – that will interest your CIO”, he laughed.
Always looking ahead
It is important, advised Colley, not to look in your ‘rear-view mirror’ at what has happened, and what has gone wrong, but to “focus on what will happen, what might happen. Try to be one step ahead of the bad guys”.
The report concludes that in the future, there will be a shift in the required skills of an information security professional – moving away from technology skills and towards business and enterprise skills. “Technology skills will always be important”, Colley assured, “but information security people will need to get more business orientated”.
The presenters shared with the audience the three things that information security must do in order to turn security into a business advantage:
- Support the business
- Defend the business
- Promote responsible behaviour
Within these three objectives, they offered some more tips on how to succeed in this:
- Focus on the business and deliver value to shareholders. Provide accurate information on security performance, comply with regulatory requirements, and evaluate current and future infosec threats.
- Use a risk-based approach. Protect classified information, concentrate on critical business applications, and develop systems securely, including email.
- Act professionally and ethically, fostering a security positive culture.
In conclusion, the duo summarised that in order for information security to create a business advantage, it must “concentrate on business, understand the business, and support the business. Which means not saying no”, said Colley. “Having said all of this, you still have to be the expert and provide leadership in this area”, he concluded.
The full PwC report will be available on their website in a week.