Security and the Business: It’s good to talk

Paul Watts
Published 09 - March - 2023
isf expert opinionpeople

Distinguished Analyst Paul Watts explores the shifting nature of business, the role of the security leader, and the implications of continuing to not align to each other’s goals.

A (digitally transformed) life after the pandemic

As recovery from the impact of the pandemic continues, digital transformation is dramatically changing how many organisations operate. Promises of innovation, efficiency and prosperity build pressure to transform as quickly as possible. However, uncontrolled and rapid transformation can increase both business risk and potential reward. Security and business leaders have become disengaged at a critical time. Change is urgently required on both sides to establish working relationships that ensure digital transformation risk is properly owned and managed. In this article, we will explore the reasons why disengagement has occurred, the implications of doing nothing, and the critical first steps to take in rebuilding those relationships.

The business relationship hits a rocky patch (or: “It’s not me, is it you?”)

“I just can’t hold [the board’s] interest” bemoaned a well-respected and long-standing Chief Information Security Officer (CISO) at a recent gathering of security leaders in London. Suggesting that perhaps it is because the business isn’t finding it interesting or useful to them produces an interesting reaction: the CISO is not the problem; the problem is that business thinks it knows best and doesn’t want the CISO’s help.

I think there is a bit of denial here. The reality of the situation is that the problem is not one of interest, but one of relevance.

Technology in business has had an image problem for years. Expensive, difficult to understand and use. Hostile. Intimidating. But where technology was once a luxury that merely supported the business, it has now become the business. Teams created to manage technology on the business’ behalf, partnered with security staff to ensure that it all remained safe. The business cared little about how it all worked and happily left them to get on with it, only engaging when they needed something, or something broke. And for many years, this was enough.

…the reality of the situation is that the problem is not one of interest, but one of relevance…

Technology consumers now feel empowered. But the knowledge gap lingers on. As does the risk.

Technology has matured. Innovations have demystified it, made it easy to use and empowered their consumers. The dependencies on technology and security teams to keep things running are perceived to have vanished.

Here lies the metaphorical ticking time-bomb.

Modern, accessible technology introduces uncontrolled risk to businesses if implemented rapidly without any due diligence. Much like giving a small child a power tool and walking away, the outcome is likely to be a dangerous one without support and oversight…

Read the full article here…