This blog is not going to try to scare you with real world stories of hackers taking over a company’s network and dragging it to its knees. For that, you can watch the USA Network’s critically acclaimed series, Mr. Robot (and you really should watch every episode). The intent of this blog is to demonstrate the importance security plays as a business capability in your company.
— Sticky Password (@stickypassword) October 17, 2015
Simply stated, business capabilities are the things a company does to be a successful business. You have strategic capabilities that differentiate you from your competitors, such as your strategic vision or the products and services you offer. You also have enabling capabilities; these are the capabilities that are required to support your company’s ability to perform your strategic capabilities. Examples of enabling capabilities are managing taxes or processing accounts payable and expense reimbursements. These are things you have to do well, but don’t have to be the best at (in your industry), because being the best usually will not impact your bottom line. Without being sufficiently competent at the enablers, though, you can be as strategic as you want, but it will get you nowhere.
One of these enabling business capabilities is managing enterprise risk. Typically, people think of enterprise risk as being financial risk, compliance risk or legal risk. But managing risk from a security perspective is equally as important.
— Sticky Password (@stickypassword) October 7, 2015
It is all too common for compromises in security to destroy careers and companies. You can usually trace these tragic events back to a crucial error: a reluctance to manage the security function similarly to other forms of risk. By including cyber security in the larger picture of enterprise risk management, there would arguably be fewer compromises and certainly fewer surprises at the C-level and at the Board level. Just because cyber security involves technology, does not mean that it should be limited to the IT department. We are now seeing IT Directors and even VP levels willingly give up the security function because they do not think along those lines, and they don’t want the career liability.
Managing enterprise security risk is a business capability. It is an enabling capability, one you have to do well consistently, but it’s not an area in which you have to be an industry leader, i.e. you don’t need to win any awards for implementing your security strategy. It is not only an IT issue because it integrates with almost every business capability.
You cannot improve a business capability without breaking it down to its people, processes, technology (tools) and information (PPTI). People are anyone who is responsible for performing tasks within a process, leveraging the technology and using the information to carry out the business capability. Processes are the activities performed by the people and the technology. Information is what is generated and used for the capability. You cannot assess the PPTI without having something to compare it to. For example, you cannot sell more widgets than your competitor until you compare widgets. Fortunately, in the security world, there are many people who have created and executed to very reasonable and effective security strategies. Standards have been created from collaborations between these pacesetters. They are there for you to use and easy to come by. For example, the Payment Card Industry Data Security Standard (PCI DSS) caught a lot of grief early on for its ambiguity, but it has quickly matured and is a good standard for most even if you don’t deal with payment card data. We have seen others start with SANS’ Top Critical Controls for Effective Cyber Defense.
It’s important that you select an appropriate match for your company. As your company grows and changes, you will discover that your requirements also change. Your ultimate goal may be compliance with ISO 27002, but whatever your security goal, you need to take the steps to determine how to get there and what to do. Here are 10 steps to help you do that.
A cyber security program is not an IT project! It is a business capability that is driven by a sound strategy that aligns with the overall corporate strategy. It is a business capability that is measured and refined as often as necessary. It is measured just like other areas of the business. It is important and you will find that it enables so many other business capabilities. For example, can you imagine even trying to manage your financials without any consideration for security?
A cyber security program is not a byproduct of IT! That wouldn’t be fair to IT, or the business. It is a part of your business and it needs the attention of the business. You not only have to do it adequately, just like your corporate taxes, you have to provide evidence that you did it correctly, just like your corporate taxes. If you treat it as a business capability, you will see positive results and in the end, sleep better at night (unless you binge watched the entire first season of Mr. Robot).
About the author
Solis Security, Inc. is a cyber security consulting firm headquartered in Austin, Texas. Initially focused on supporting community and regional banks in the early 2000’s, Solis Security is now providing strategic security direction to organizations in different verticals while also supplying the people and tools to see that the strategy is carried out fully.