Security can be an enabler for a more efficient, and more profitable business. But making security work for the business takes skill.
This was the message from the Security as an Enabler panel at Infosecurity Europe 2014, chaired by Peter Wood, CEO of First Base Technology
and of member of ISACA's
London Chapter security advisory group.
This does, though, require a culture change among both security professionals, and the business. Security professionals can no longer say no, but they also need to advise the business on acceptable levels of risk.
"With the move to the cloud, you have to move away from protecting the castle. You have to protect the data and the applications, and that changes the process," said David Cass, SVP and CISO at Elsevier. "You have to help the business to make money," said Lee Barney, Head of Information Security at the Home Retail Group.
But, said Peter Wood, helping the business means finding security professionals who have business acumen. "It is up to us to find, and nurture, people who want to help the business," he said.
This means engaging with the business, said Michael Colao, Head of Security, Chief Technology Organisation at AXA UK, even if that is a battle the security sector has been fighting for some time. "It means having security professionals prepared to engage with the business," he said.
"They need to answer the questions the business wished it had asked, rather than the questions it actually asked." Non-security professionals will think in terms of easier access to an online account, rather than biometric or token-based security."
But, although the panel remained skeptical about how far information security can go in driving profits, it is clear that poor security, and poorly-implemented security, can drive away customers.
"In retail, if people don't like what you do, they vote with their feet," said Barney. "Are margins are very tight. We absolutely have to keep our customers, and we care about the customer journey, and customer security."
Even in industries where physical security is part of the culture, this remains a challenge in information security, according to Andy Jones, CISO, Maersk Line. "It is not any easier," he said. "We try to link infosec to physical security, in areas such as aeroplanes, but there is still an airgap between them."
The answer is to look at security from the business – or the customer – point of view. "You need to look at whether you have made it easier or harder to log on to a service," said Lee Barney at Home Retail Group. "Link it to the business, and the language of business is money."