Framing Security as a Business Issue – A Lesson for 2022

A guest article by Romi Mahajan

In an early part of my career- almost 20 years ago- I had the opportunity to work with some incredible people in the “security” space. Many of those I had the privilege of working with and learning from have gone on to do noteworthy things in the space- from being CISOs of large companies, to starting successful security startups, to authoring important and even tectonic articles on the space.

As I recall from those heady days two decades ago, those involved in the “Business” and “Marketing” sides of security (as opposed to the technical side) all agreed on one thing: Security has to be framed as a business issue not just a technical one. Ninety percent of those on the technical side agreed with this.

While the sentiment appears to be a cliché, it is perhaps more nuanced than it might seem. The point is not that security impinges on business and as such must be taken seriously. Instead, the emphasis here is on the nature of the business and the corresponding defense-posture that a business should take. Additionally, it’s a reminder that the nature of the business will dictate the differential investments in security that make up the whole.

Twenty years ago, I had an easy example to trot out for explanation: If your company is an ecommerce play then making sure your website is not hacked and is up and functional is key to your business. Not so much if your company is a restaurant. Both require security but in different ways and at different levels of investment.

At that time, we created a “Risk Assessment” that essentially assessed business risk and mapped it onto security posture and spending. The idea was that they should match in valence level- you don’t want an important asset unprotected nor do you want to spend millions to protect something that is irrelevant.

The notion that Business risk is the key element of analysis has persisted and would be a truism if indeed it was a universally understood idea. But alas it is not.

We still encounter generic language and un-nuanced views of security. We still see complacency in the ranks of business leaders, relegating security to something that “IT will think about.” We also still see a shifting landscape of blame- forgetting conveniently that security has to be a Board level issue.

LAMR Group’s Paras Shah says it well- “After the fact finger pointing does no one any good in security. Resilient frameworks for managing the business issue that is security have to be developed and funded, continuously, by the Board of any organization of appreciable size.” Security thinker Manish Godha adds, “Security better be part of your 2022 plan. Not-negotiable.”

In a world of daily breaches, attacks, ransom demands- on and to the systems on which our entire human infrastructure runs- security must not only be top of mind but the “thinking” has to be met with real action. The suggestion that security is just a technology issue has no place in the dialogue of 2022 and beyond.

Written by Paul Dunay
Paul Dunay is an award-winning B2B marketing expert with more than 20 years’ success in generating demand and creating awareness for leading technology, consumer products, financial services and professional services organizations. Paul is the global vice president of marketing for Maxymiser a leading web optimization firm, and author of four “Dummies” books: Facebook Marketing for Dummies (Wiley 2009), Social Media and the Contact Center for Dummies (Wiley Custom Publishing 2010), Facebook Advertising for Dummies (Wiley 2010) and Facebook Marketing for Dummies 2nd Edition (Wiley 2011). His unique approach to marketing has led to recognition of Paul as a BtoB Magazine Top 25 B2B Marketer of the Year for 2010 and 2009 and winner of the DemandGen Award for Utilizing Marketing Automation to Fuel Corporate Growth in 2008. He is also a finalist for the last six years in a row in the Marketing Excellence Awards competition of the Information Technology Services Marketing Association (ITSMA), and is a 2010 and 2005 gold award winner in Driving Demand. Buzz Marketing for Technology, Paul’s blog, has been recognized as a Top 20 Marketing Blog for 2009 and 2008, a Top Blog to Watch for 2009 and 2008, and an Advertising Age Power 150 blog in the “Daily Ranking of Marketing Blogs.” Paul has shared his marketing thought leadership as a featured speaker for the American Marketing Association, BtoB Magazine, CMO Club, MarketingProfs, Marketing Sherpa, Marketing Executives Networking Group (MENG), and ITSMA. He has appeared on Fox News, and his articles have been featured in BusinessWeek, The New York Times, BtoB Magazine, MarketingProfs and MarketingSherpa. Paul holds an Executive Certificate in Strategy and Innovation from MIT’s Sloan School of Management and a bachelor’s degree in Marketing and Computer Science from Ithaca College.