Cyber-Security Gaining Maturity
Moving from Sanctioned to Secured to Successful
We are in the midst of the presidential campaign journey and one thing remains constant, many campaign strategists feel we are moved most fervently when we are scared. Regardless of your political persuasion, fear and scare tactics abound. Transition this to how enterprises are approached by most security vendors today. Most articles and presentations start with reminding you of the many heinous security breaches that have taken place in the last few years and the dire consequences that resulted. While true, the base message is built on scaring you into action. This is a sub-optimal position when working to build a business or organization.
The goal of this blog is to review where we are with security motivations and maturity today and how we may be moving to a more positive and supportive context.
I suggest there are three waves of cyber-security maturity in the marketplace today. The first wave is built on regulatory requirements; what we are forced to do to be compliant with current statutes and laws. The second wave is focused on risk management and appropriately securing the assets you have based on priorities and value. The third wave is more positive and focuses on leveraging cyber-security for business growth and efficiencies.
Let’s review each maturity wave more closely.
Wave One: Compliance – feels most familiar and is predicated on what enterprises have to do to meet governmental and organizational regulations and guidance. Meeting compliance thresholds are defined by the regulations or the interpretation of the regulations by internal and external auditors. Common regulatory drivers include HIPAA, PCI, SOX and a continuing host of expanding rules. Budgets generally are set by the boundaries of the auditor’s interpretations of requirements with technology solutions that are focused on the business processes bounded by the regulatory coverage. Security in this wave is simply about doing what is mandated to stay in business. Security is the ante into the game and is viewed by many organizations as a tax on the business.
Wave Two: Risk Management – is about protecting what you have. Enterprises move from being mandated into security by regulatory requirements to taking inventory of all assets, assigning and prioritizing value, and then determining to what level they need to protect those assets based on uncertainty of events. Risk management’s security objective is to assure uncertainty does not deflect the endeavor from the business goals. For cyber-security this generally equates to what is the risk to and value of what the enterprise owns and establishing a budget commensurate with the assigned risk factors and asset values. We do this naturally with our home in determining how much insurance we need and how comprehensive our security system should be. In this wave, the focus is on detection, prevention and response; it is technology heavy with a growing emphasis on people and process to protect the organization’s brand and market position. This is a more positive and thoughtful approach to security and one that is starting to be embraced.
Wave Three: Business Value – is a relatively new wave and works to leverage security as a value driver that directly affect business outcomes. The question to answer is how cyber-security can be utilized to bring efficiencies to business processes. Examples of this wave in action are:
- Utilizing identity and access management principles to create highly secure collaboration in product development that brings new product / service ideas to market more quickly.
- Adding the same people, process and technology identity solutions to your supply chain to bring significant efficiencies in complex environments where accurate visibility into second and third tier providers can improve delivery times and margins.
- Strengthening security in moving from a product to services-based offering. Providing highly branded security and reputation in a services economy is a market differentiator.
Wave three is emerging within progressive organizations and transitions security from a tax to an advantage. Heavens, what a concept.
We are in an interesting time, there is no returning the toothpaste to the tube. Cyber-security is now a mainstay of our business processes. How we use cyber-security will be an ongoing endeavor and one that each organization will need to evaluate regularly. Are you implementing security practices and technology simply because you have to for compliance purposes? Are you now analyzing your assets and developing programs to appropriately protect the value you have? Are you looking to security as an opportunity to grow your business? There are no universal right or wrong answers – only the constant journey to find the best solutions at each turn. As we continue this journey, please share your thoughts and observations so we can be mindful of the best path.
CMI – Your Adaptable Data Center Company