The business landscape has changed beyond recognition since I started working, way back in 1969. Every business is now reliant on IT systems and the Internet in order to function. (Just see what happens if your email systems are unavailable for an hour!) New technologies and working practices are introduced at a prodigious rate, as globalisation and consumerisation drive transformation and innovation.
As a result of our dependence on IT systems and connectivity, information and cybersecurity are being pushed up the corporate agenda. This is a good thing. However, information security and its practitioners are still seen as risk-averse business inhibitors who stifle innovation, limit agility and slow efficiency with their strict controls and policies.
Meanwhile, information security teams grapple with the challenges of securing increasingly complex and ever-changing threat landscapes, while attempting to secure increasingly diverse and poorly-understood sets of technologies.
With heightened attention at the board-level, information security professionals have an opportunity to reimagine information security as an enabling function, supporting and adding value to the business as it transforms and innovates. The challenge for many security people is that their passion and enthusiasm can be difficult to communicate to the senior level. We are asked to present arguments in a language business leaders can understand—to remove technobabble from our presentations. Oftentimes we struggle to properly express our concerns and we fail to engage these audiences.
Our information security functions must evolve to become business-led. We must bring business knowledge to security teams and educate security practitioners about the implications of threats. The perception of risk within information security must be changed. Information security must get management/stakeholder buy-in and become fundamental to enterprises, rather than a mere compliance issue. And the language used in this process must improve to ensure effective communication of risk intelligence without instilling fear, uncertainty and doubt.
My keynote panel session at next week’s Infosecurity Europe will explore how information security practitioners can position security as an enabling function and truly support the business. We will consider:
- How to integrate security into agile business practices
- New strategies to enable security teams to understand enterprise objectives and speak the language of business
- How security can help the business collaborate internally, with suppliers and with customers
- How the security function can inform and contribute to business decision-making
- What skills are required for an effective security professional and what this all means for the role of the CISO
Chief executive officer, First Base Technologies, LLP
Member—ISACA London Chapter Security Advisory Group
Continue the conversation in the Information Security Policies/Procedures topic within ISACA’s Knowledge Center.