Building a Successful and Sustainable IT Security Program

No business can transact, communicate or function without IT and data. In our digital world, security and risk management is now a core function of every organization.

IT and IT Security have often felt like they were subservient to business, providing value, efficiency and meaningful data. Although IT is increasingly integrated into decision making, IT Security is still seen as a roadblock rather than a key component of the overall business strategy.

But as businesses continue to invest in digital transformation, risks also increase. Outages, breaches, data loss, supply chain impacts—even warfare in the 21^st century—can’t escape the critical nature of technology.

Here are some thoughts on how to coordinate a sustainable IT security program that can better protect your business against growing cybersecurity risks.

Bridge the gap between business & IT

There is often a cavern between the business and IT: Business leaders do not understand IT risk, and IT leaders do not understand business risk. Bridging this divide is critical to protecting your company.

Business leaders need to seek clarity on technical decisions and how those decisions may increase risk to the organization. On the other hand, IT people need to understand that not every decision is black or white.

Buying new software, bringing in new technology or partners can be technically complicated, but may also put data availability at risk. IT people need to understand that we live in a world of grey and sometimes we can accept risk if at the other end of that is value or profit.

Balance people, processes and technology

Technology alone will not protect an organization.

Many organizations that invest in technology but will not hire the necessary resources to manage that technology—in the end, they only realize 10-20% of the expected value. For example, a company may buy next gen firewalls but fail to take advantage of the next gen features. Or, a company pays annual service contracts where the vendor provides new capabilities, but those new features never get turned on.

You need to balance your investments of people, processes and technology. Not enough people and there’s no one to answer the alarm bells. Not enough technology and you can’t stop or see the flood of attacks. Not enough processes and the people can’t effectively use the technology.

Quantify and measure your security program

One of my former supervisors used to frequently ask me “how are we doing?” He had a finance background and challenged me to measure the performance of our security program.

Quantifying and measuring performance is not necessarily about a particular number or range, but more about the trajectory: Are we getting better or worse?

As a leader within your organization, you need to be able to prove the value of these investments. You have access to a lot of numbers—KPI’s, metrics, attacks, email, spam, vulnerabilities. Make those numbers tell a story, help change course and shift your focus.

Align risk and investment

I had a CFO who helped me look at our IT security investments from both a security and business perspective. He supported our security efforts, but also asked “when is enough, enough?”

You cannot protect everything in the same way. Having a deeper understanding of what’s important to the business, where your important data and systems are and what applications are needed to transact will help you better align risk and investment.

To protect you company—practically—consider these questions:

• Can you get more out of existing tools?
• Can you focus efforts in areas that attackers were more likely to attack?
• Can you respond more efficiently by having less overlap in tools?

Build a culture of security and personal responsibility

Security is a team sport, not just an IT problem. Business leaders often think “IT has that covered.” The truth is, they often don’t. But it’s not their fault—IT can’t stand behind everyone’s desk and tell them what not to click on.

Security can’t protect what it doesn’t know. People in the company who create data—your sales team and business leaders—must understand the value of that data. And, they should understand how it is protected—who has access, whether it is encrypted, how is it backed up.

All in all, it’s critical to build a culture of security and personal responsibility. Our dependence on data, applications and systems isn’t going away any time soon. We collectively have an invested interest in better protecting data and systems from attack.