Against the backdrop of this hyper-connected business environment, the evolving threat landscape, new technology adoption and regulatory scrutiny has meant that essential activities and responsibilities of enterprise information security teams are very much in transition. To help bring some clarity and provide some guidelines for architecting a next-generation security team, the Security for Business Innovation Council (SBIC) has released a report sponsored by RSA advocating for information security to become a cross-organizational function.
Security functions, the report argued, should be embedded into business processes, and security teams should be working closely with business units on information risk management and cyber threat mitigation. The information security discipline must also embrace a joint accountability model in which responsibility for securing information assets is shared with the organization’s line of business managers and executives, who are beginning to understand that they ultimately own their own cyber-risks as a part of business risk.
In the old model, well-worn processes and checkbox functions are the norm, with security teams lacking in terms of communication with executives. That approach cannot adequately keep up with today’s level of complexity, the report argued.
“The core security team’s expertise should be primarily focused on delivering consulting, providing direction, driving strategy, identifying and explaining risks to the business, understanding threats and moving the organization forward – not be encumbered by the day-to-day routine operational activities,” explained Bob Rodger, group head of infrastructure security at HSBC Holdings, in an emailed statement.
Council members offer seven recommendations in the report to help organizations build state-of-the-art security teams with the diverse skills needed to take on expanded responsibilities in managing risks to information resources throughout the enterprise. Those include business risk management, law, marketing, mathematics and purchasing.
Many of the advanced technical and business-centric skills needed for security teams to fulfill their expanded responsibilities are in short supply and will require new strategies for cultivating and educating talent, as well as leveraging the specialized expertise of outside service providers.
To help organizations build a state-of-the-art extended security team, the Council drafted a set of seven recommendations.
First off, the core team should be focused on increasing proficiencies in four main areas: cyber risk intelligence and security data analytics; security data management; risk consultancy; and controls design and assurance. Repeatable, well-established security processes should be allocated to IT, business units, and/or external service providers. For particular specializations, enterprises should augment the core team with experts from within and outside of the organization.
The security staff should partner with the business side of the house in managing cybersecurity risks and coordinate a consistent approach. The team should make it easy for business personnel and should hold them accountable. The team should also develop trust and influence with key players such as owners of the 'crown jewels', middle management, and outsourced service providers.
There should also be people on the team with experience and certifications in quality, project or program management, process optimization and service delivery.
Finally, given the lack of readily available expertise, developing talent is the only true long-term solution for most organizations, the report noted. Valuable backgrounds can include software development, business analysis, financial management, military intelligence, law, data privacy, data science and complex statistical analysis.
“For this transformation to be successful security must be seen as a shared responsibility that requires active partnerships to manage the inherent risks to the business in the ever-evolving threat landscape,” said Art Coviello, executive vice president at EMC and executive chairman at RSA. “It is imperative that organizations can develop a security team with the right expertise needed to get the job done.”