“The days of security being perceived as the Department of ‘No’ are coming to an end,” says Dominic Trott, Research Director for European Security and Privacy, IDC. He cites a recent IDC study* Making security an enabler by delivering business outcomes sponsored by Orange Cyberdefense, in which 70% of organizations said they now see security as an enabler, a 21 percentage point improvement over the past couple of years.
“The relationship between security and the business is changing as chief information security officers play a larger role at board level,” says Trott. “This encourages more business-like behavior. In fact, this is a key characteristic of security teams being perceived as a business enabler.” IDC found that 56% of CISOs now report to a board member or sit on the board themselves.
Repositioning security as an enabler
IDC points out that this enabling power is diluted by organizational issues that hobble security teams from maximizing their full business potential. Security teams, for example, are often fragmented and overburdened by manual, routine tasks.
“The biggest threat I face in my own security environment is that it is too fragmented, meaning I can’t understand my holistic security posture,” says one CISO of a major European bank.
This is why it is important for security to work closely with the business. The objectives are twofold: to generally heighten security awareness and to ensure security is involved in new business initiatives from the beginning. “Beyond this, security teams must start to operate more like a business unit themselves,” explains Trott.
“Security teams need to communicate with decision makers in terms of operational risk and represent themselves in business terms to establish cybersecurity as a useful contribution to create added value,” adds Nicolas Arpagian from Orange Cyberdefense. “This cultivates security and business alignment for accelerated innovation.”
This is underscored by a CISO at a global pharmaceutical company who explains why it is critical to have a shared perspective between business and security: “Every interaction between security and the board is framed in terms of risk. It determines every decision we make, including vendor selection.”
Working with a partner to demonstrate business value
There are two primary outcomes that business enabling security teams need to focus on to become more strategic in business decision making. The first is to increase operational efficiency and the second is to raise security awareness and culture, according to Trott. “For security teams seeking to drive business value, working with partners can help to achieve this,” he says. Third-party security providers can help to address limitations that prevent security teams from maximizing their capabilities and impact.
The specialist capabilities and qualities that third-party vendors can bring to the table can add real value to in-house teams and organizational operations. Sixty-nine percent of those surveyed by IDC said they were using third-party security providers to gain access to state-of-the-art technologies and techniques, 65% for specialist capabilities such as detection and response, and 67% consume threat intelligence-as-a-service.
As part of best practice working with third-party security vendors, IDC has found that outsourcing key tasks and managing integration using a balance of both external and internal capabilities is the way forward. This is the path adopted by 64% of the organizations IDC surveyed.
The benefit of managed security services
Working around the clock to simply keep the lights on, budget constraints and lack of insight into security activities are limiting cybersecurity improvement. These challenges are exacerbated by the growing complexity of the security ecosystem. This is why organizations are increasingly looking to security aggregators. Seventy per cent of respondents to the IDC survey would value a partner to reduce the number of vendors and simplify supplier and contract management.
“Outsourced security services are becoming a reality for many organizations as a way of circumventing the skills shortage by acquiring an outside team of highly skilled global experts and a full stack of cutting-edge security technologies,” adds OCD’s Arpagian. “As well as helping to simplify the vendor ecosystem and meet compliance needs, a managed service provider can also help tailor a robust security program that fits the unique security requirements of a specific business.”
IDC recommends that organizations looking to improve the business impact of security adopt the optimum blend of third-party and in-house resources to meet security needs and harness threat intelligence to focus threat management activities on contextually relevant challenges. This drives efficiencies and maximizes output.
In addition, IDC recommends that organizations concerned about data residency and data transfer should consider working with EU-headquartered security service providers.
Security: enabling a digital future
Digital technologies and connectivity run through every aspect of business. With the advent of IoT and Industry 4.0, the threat landscape is only going to get wider. The more connected we become, the greater emphasis business is putting on understanding cybersecurity.
Now, more than ever before, CISOs and their security teams must speak the language of business enablement as the sharing of knowledge and information for day-to-day operations becomes critical to the success of organizations.
Read more in this IDC InfoBrief sponsored by Orange Cyberdefense: Making Security an Enabler by Delivering Business Outcomes
*Source: IDC InfoBrief, sponsored by Orange Cyberdefense, Making Security an Enabler by Delivering Business Outcomes, May 2019