A guest article by Romi Mahajan
In an early part of my career- almost 20 years ago- I had the opportunity to work with some incredible people in the “security” space. Many of those I had the privilege of working with and learning from have gone on to do noteworthy things in the space- from being CISOs of large companies, to starting successful security startups, to authoring important and even tectonic articles on the space.
As I recall from those heady days two decades ago, those involved in the “Business” and “Marketing” sides of security (as opposed to the technical side) all agreed on one thing: Security has to be framed as a business issue not just a technical one. Ninety percent of those on the technical side agreed with this.
While the sentiment appears to be a cliché, it is perhaps more nuanced than it might seem. The point is not that security impinges on business and as such must be taken seriously. Instead, the emphasis here is on the nature of the business and the corresponding defense-posture that a business should take. Additionally, it’s a reminder that the nature of the business will dictate the differential investments in security that make up the whole.
Twenty years ago, I had an easy example to trot out for explanation: If your company is an ecommerce play then making sure your website is not hacked and is up and functional is key to your business. Not so much if your company is a restaurant. Both require security but in different ways and at different levels of investment.
At that time, we created a “Risk Assessment” that essentially assessed business risk and mapped it onto security posture and spending. The idea was that they should match in valence level- you don’t want an important asset unprotected nor do you want to spend millions to protect something that is irrelevant.
The notion that Business risk is the key element of analysis has persisted and would be a truism if indeed it was a universally understood idea. But alas it is not.
We still encounter generic language and un-nuanced views of security. We still see complacency in the ranks of business leaders, relegating security to something that “IT will think about.” We also still see a shifting landscape of blame- forgetting conveniently that security has to be a Board level issue.
LAMR Group’s Paras Shah says it well- “After the fact finger pointing does no one any good in security. Resilient frameworks for managing the business issue that is security have to be developed and funded, continuously, by the Board of any organization of appreciable size.” Security thinker Manish Godha adds, “Security better be part of your 2022 plan. Not-negotiable.”
In a world of daily breaches, attacks, ransom demands- on and to the systems on which our entire human infrastructure runs- security must not only be top of mind but the “thinking” has to be met with real action. The suggestion that security is just a technology issue has no place in the dialogue of 2022 and beyond.