Security goals and risks must have solid mapping with business for effective implementation
Security is so intricately linked to business outcomes that by 2020 100% large enterprises will be asked to report to the boards on cybersecurity and technology risks, says Gartner.
Securing your enterprise begins by communicating effectively about it. No sword-wielding James Bond or 007 hi-tech style protection can secure your parameters if organizational beliefs are not aligned to your policies.
So how does one go about achieving it?
As an IT leader who also leads customer trainings, BPO, airlines management, product development and GDS services, I have learnt a thing or two about the crucial art of presenting the case logically, making it meaningful to stakeholders. However, brilliant a plan or however meticulous the execution, bottom line is no goal can be achieved without the buy in of stakeholders. Here are few insights based on my experience.
Focus on winning mindshare. Don’t go overboard
Prevailing tendency amongst security practitioners is to over-sensationalize threats and thereby filter everything. Instead focus on getting the buy in of stakeholders with engagement strategies. Users resist too much policing and operations become handicapped with restrictions. Employees find ways to evade barriers and gradually compliance erodes and you lose the battle. This starts a downward slide in credibility and you begin to lose battles, eventually losing the war against security.
Align messaging with business outcomes
The CIO must have thorough understanding of the organization’s business and any conversation about security risks must be aligned with business risks. Speak the language of your audience to get across the message. This means if you are talking to the CFO, articulate clearly the financial advantages of security measures. If you are speaking to business heads, focus on enhancing customer confidence with solid prevention and remedial strategies; with HR and marketing the implications on brand equity and so on.
Identify goals with due diligence
Combine your business understanding with associated risks and do a heat map analysis to arrive at realistic goals of organizational threats. Security goals and risks must have solid mapping with business for effective implementation.
Develop comprehensive approach
Prevention and protection strategy should be comprehensive encompassing network, devices, users and policies to ensure compliance—strategies to combat known threats, extend coverage to shadow IT, address data protection and threat detection. Enterprises strategy must evolve from protection to prevention and remediation with built-in monitoring, and a culture that ensures compliance in every level.
User must be convinced about the need for security and compliance, else implementation will not be effective. Individuals must be responsible and complaint while interacting with organizational data and assets. Focus on communicating the risks to business, loss of customer confidence, legal implications of compliance and the crucial role each employee plays in achieving organizational roles.
As threats become more sophisticated and lethal, organizations must adopt a security-first policy to build resilience, survive and thrive. Ensuring security is not about technology but a company culture and business strategy in which every stakeholder must be a willing and interested participant. At the same time, it is important to strike a balance and allow IT to play its role of delivering value to business.
The author is AVP - IT & GDS Services, CIO at InterGlobe Technology Quotient