Entrepreneurs are risk takers
Security is all about risk management. Unfortunately, organizations tend to relate security only to the internet and the cyberworld. However, it’s not just cybersecurity! Hence, it’s critical for an enterprise to understand that security is not solely about data, applications and infrastructure. It is also about securing customers, protecting organizational reputation, instilling trust and so on. Often security is considered an IT topic and it’s constantly ignored until a security incident occurs that affects the whole enterprise and its customers.
The Equifax breach is an example of how ignored security warnings resulted in a data breach. This impacted an estimated 145.5 million US consumers. Equifax’s brand has been battered by the data breach as consumers feel violated. However, this is not a unique situation. ServiceNow and Oxford Economics analyzed a survey on the state of the security function in which 300 CISOs participated. This showed that 70 percent of CISOs say it is difficult to prioritize security alerts based on the importance of the target data.
70 percent of CISOs say it is difficult to prioritize security alerts based on the importance of the target data
How to solve that then? An enterprise security architecture can provide transparency in the alignment of measures in the security layer, such as security alerts, towards high-level business targets, like maintaining consumer trust.
Enterprise security does not exist in isolation
Typically, companies tend to follow a siloed approach to enterprise security and risk management. There is an absence of fundamental understanding of the dynamic nature of threats and lack of risk aggregation at an enterprise level: risk is treated on different layers by different stakeholders in the enterprise. The business leaders of organizations do not embed security aspects into their long-term business strategy. The primary cause is the incomprehensible language used by the security representatives when talking to business executives.
According to Gartner, worldwide spending on enterprise security will reach $96.3 billion in 2018, an increase of 8 percent from 2017. Yet despite the investment into security, organizations are increasingly being compromised. The attacks are usually not the most sophisticated ones, but simple mechanisms from the early 2000s or older. Companies tend to lack traceability to measure the impact on the organization.
Enterprise security is a business enabler
An appropriate response to a business risk is called security. The better the security measures are adjusted to the situation and priority of the risk, the more likely they will be effective. Hence, security should be aligned with business targets. However, this proves to be challenging for many companies.
One of the main issues we come across is that business leaders struggle to interpret security. They often treat the security department as a business prevention stakeholder hindering growth and progress, which, to some degree, should be the other way around: offering assurance and confidence.
Equifax failed to install a patch. While they invested profoundly on firewalls, networks, antivirus and more, they missed the key control. This exposed a weakness and made the organization vulnerable to threats; eventually, an incident occurred and dented the company’s reputation and customer’s trust.
During the creation of a strategy, security should be cross-cutting and used to assure positive outcomes(s) for the risk takers, lowering the chance of negative outcomes by as far as reasonably profitable. Security should be treated as a business enabler that offers protection.
Enterprises face a rising risk to their financial performance, operational continuity, and reputation from information security breaches. According to research from the Ponemon Institute, costs per breach have increased by 30 percent in the last three years, and companies face a 26 percent probability of a material data breach in the next two years.
Costs per breach have increased by 30 percent in the last three years, and companies face a 26 percent probability of a material data breach in the next two years
Enterprise security and architecture - a magical combination
Security is defined by the Oxford dictionary as ‘the state of being free from danger or threat’. Security is something that helps someone (individual or group) to feel ensured in doing something, somewhere. Imagine you are walking to a supermarket. You see an alley that looks like a shortcut. However, it is quite dark, you don’t see the end of the alley and there are some people with hoodies covering their faces lingering around. On top of that, you have recently heard about an increase in robberies in the area. By taking the shortcut, you could be 50 percent faster to reach your destination, but there is also a 70 percent chance of being robbed. Would you walk through that alley to find out if it is a shortcut or would you take the normal route?
A perception of insecurity might influence your decision in this situation. Perhaps your decision would be easier if the alley had proper streetlights, a police officer was patrolling the area and no suspicious people would be lingering around. On top of that, you see a sign saying: ‘The supermarket’s shortest route is this way.’ By reducing the likelihood of being robbed, this indirectly increases the probability of reaching your destination faster. The alley would look more like a normal street and have less insecure factors.
In a business context, the security definition mentioned above requires a second sentence: ‘when taking risk'. In the center of a strategy, or: enterprise (security) architecture. Thus, ‘the state of being free from danger or threat when taking risk’.
Security = the state of being free from danger or threat when taking risk’
Thinking about mitigating risk by incorporating security within the enterprise architecture, could increase performance and lower disruption. An approach to reducing risk is the application of the principle ‘Security by Design’. This should be top-down, starting from the business needs and making sure it’s coherent with the organization’s enterprise architecture. Security architecture should blend into every business element – people, process, technology and partners - and not merely ‘technology’.
Organizations today need a strong framework for developing risk-driven enterprise information security and information assurance architectures. These are essential when building security infrastructure solutions that support the business initiatives. Hence, there is traceability of how solutions really assist the business objectives, and how delivering security infrastructure solutions supports the critical business initiatives.
Enterprise security boosts your business
The solution, therefore, is to intensify focus on a security architecture framework. This framework provides benefits by allowing a meaningful integration of the right technical and procedural solutions to business problems and helps to determine an appropriate balance between strategy, tactics and operations. This lowers the risk that an organization takes, and on top of that, creates assurance on achieving business targets. Organizations can improve by broadening the framework beyond the Confidentiality, Integrity, Availability (CIA) norm, which is usually inescapable within organizations.
How can you embark on your enterprise security journey? Start by deciding the direction of your business regardless of security, consider this your business strategy. The next step is thinking of security solutions that can assure your organization to achieve these targets with reasonable risks. So, essentially the magic lies in aligning security functions with your business strategy, developing an enterprise security architecture that makes sense for YOUR business and unleashing your maximum potential.