Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected, by focusing on how effective controls are. It requires a broader view, considering the needs of multiple stakeholders within the organization.
Business-focused security assurance programs can build on current compliance-based approaches by:
- Identifying the specific needs of different business stakeholders
- Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place
- Reporting on security in a business context
- Leveraging skills, expertise and technology from within and outside the organization
A successful business-focused security assurance program requires positive, collaborative working relationships throughout the organization. Security, business and IT leaders should energetically engage with each other to make sure that requirements are realistic and expectations are understood by all.
Time for a change
The purpose of security assurance is to provide business leaders with an accurate and realistic level of confidence in the protection of ‘target environments’ for which they are responsible. This involves presenting relevant stakeholders with evidence regarding the effectiveness of controls. However, common organizational approaches to security assurance do not always provide an accurate or realistic level of confidence, nor focus on the needs of the business.