When I chose information security as my profession, it was a conscious decision. I felt compelled towards the technology and the fascinating challenge of securing a shifting, metamorphic ecosystem. When we think of the term “security”, in our technology context today, immediately we conjure up images of putting up walls, defenses and traps to keep the hackers, thieves and spies at bay. But given the harsh consequences, bordering on the catastrophic in some cases, of the security incidents today, I feel we need to re-think how we define security. I wrote in myhttps://blogs.rsa.com/ciavalue-ciso-imperative/last blog about adding “Value” to the Confidentiality, Integrity and Availability principles of information security. The more I think about it, I think we may need to redefine the term Security, in general, in our industry.
As a father and husband, my family’s security is always a consideration. However, I don’t just think of the locks on the doors and windows of our home. I factor in many other elements. I consider our financial future. Am I investing enough to ensure financial stability in the future? I consider our health. Are we going to the right doctors? I consider our emotional happiness, my children’s education, our values, and our ability to live long productive lives. My vision of my family’s security goes well beyond just their personal safety. It projects into the future. It is holistic. It isn’t just “defense against bad things”. My definition of the security of my family is protection of their immediate and long term well-being.
Working for RSA – the SECURITY division of EMC – I am constantly aware of some of the immediate (and I assert inaccurate) reactions to that label. Security in this age does NOT mean just defensive measures. To me, RSA, as the SECURITY division of EMC , is therefore chartered to help our customers protect their immediate and long term well-being. Just like considering more than locks on the doors of my home, this mandate goes well beyond traditional security concepts.
Is the business protecting its financial viability for the future against all threats? Some of the threats are absolutely related to the hackers, thieves and spies. Cyber-risk is top of mind for all companies now and the connection between the technology and the business has undeniably hardened. However, threats such as natural disasters, compliance failures, poor governance, fraud, and a host of others can impact this financial viability with equal violence.
Is the business making the right relationships – or managing the risks around the external parties that contribute to the company’s strategy? No company is an island today. Some business function, operational element or widget critical to the company’s success is outside its control. Managing relationships with vendors, service providers and business partners is essential to long term welfare.
Is the company fostering a risk aware culture and enabling their employees to make the right decisions? Just like concern around my family’s education and values, a secure organization means that the people, the first line of defense against many of today’s risks, understand the long term implications of their actions and make the right choices.
These elements of ‘security’ point to a broader, grander vision beyond the traditional boundaries of technology security. Within RSA, the addition of Governance, Risk and Compliance concepts on top of conventional protection strategies implemented through innovative technologies brings these extra, necessary elements to the mix. If today, business IS technology – regardless of the industry – we can no longer think in the same terms and differentiate between technology security and business security. Business security, like my family’s security, is beyond locks on doors.
There has been much prognostication on what 2015 holds. My proposal for you to consider is to explore a broader definition of security with your business stakeholders and engage in the discussion of the health and wellness of the company. Take security beyond its traditional boundaries. Go beyond the bits and the bytes. Factor in the full range of threats your organization faces. It cannot just rest on the few InfoSec resources within the company. We have seen what happens when the entire company - management included - has not engaged against digital threats. When you discuss Security (capital “S”), think of it as the protection of the immediate and long term well-being of the company.
This mindset elevates your conversation of IT security into the world of operational risk management connecting digital risks with the broader business risk. For more information on Operational Risk Management, see Gartner's latest report.