A business-centric approach towards Cybersecurity
Shaik Abdulkhader
Transformative CISO | Leading IT & OT Cybersecurity Strategies | AI Leadership Advocate & Keynote Speaker
Organizations that continue to invest in traditional information security approaches either fall prey to cyber threats or find themselves unprepared to deal with cyber crimes.
I think it is about time, the organizations need to move their cyber security efforts away from traditional defensive approaches to a proactive approach aligned with the organization’s business objectives.
To illustrate and simplify, let's classify traditional information security approaches into three types.
1. IT infrastructure-centric Approach : In this traditional model, organizations tend to augment their infrastructure with products of a particular vendor which form building blocks for their infrastructure. As the IT infrastructure vendors extend their reach into security, they introduce their security portfolio to solve the problems their product generally introduces. Microsoft, IBM, and Oracle are some examples who have complete a range of products in IT Infrastructure space. In most such cases the decision maker would be the CIO or Infrastructure Manger with little involvement from the CISO and Business representatives.
2. Security-centric Approach: This is another traditional model whereby security products and services are selected based upon discrete needs and budgets. Generally, only research reports are referred and products with high rating are considered; with a “rip-and-replace” mentality rather than any type of long-term allegiance. Vendors like FireEye, Fortinet, Palo Alto Networks, Symantec, and Trend Micro fall in this category. Generally, the CISO or security team is involved with little to no involvement from the CIO or Business representatives.
3. Business-centric Approach : This is an emerging approach wherein decisions affecting Cybersecurity of an organization are made jointly by Corporate boards, CIOs, and CISOs. This new approach helps Organizations’ to plan for an effective security program which is driven by business requirements with a holistic scope including all business representatives, CIO, CISO, 3rd Parties, suppliers & partners; this improves the Cybersecurity effectiveness, operational efficiency and helps to align enterprise goals and objectives.
The traditional approaches to Cybersecurity are no longer working, as the critical link between the business and Cybersecurity missing. These approaches are generally Governed by enterprise boundaries which no longer exist with the advent of cloud computing, mobile & social networking. Another limitation with traditional approaches, they are very audit-centric and compliance driven, which means the controls are limited by audit domain and driven largely by regulatory requirements. As all know, that Cybersecurity threats have no regard for compliance objectives & regulatory requirements, which gives no immunity on contrary this only encourages them to be the next big target to cyber-crimes.
There is a strong need for change in the approach and achieve a sort of Cybersecurity Enlightenment, as traditional approaches are ineffective and organizations that fail to update their strategies run the risk of significant financial and reputational damage.
In recent times, Cybersecurity has actually become a business problem, a boardroom discussion and listed in the top quartile of enterprise risks. Protecting the business should be the first and foremost goal of any security program, which also means that security programs shall be linked with business goals. Hence, planning Cybersecurity from the business-centric point of view helps organizations to align the security programs with its business objectives.
An effective way to plan Cybersecurity is to start with People first, by assessing the day-to-day activities of employees and 3rd parties. Then assessing the functional needs by identifying the tasks or actions that technology will be used to accomplish in the organization. This makes it possible to learn where security breaches are most likely to occur, and why. This uncovers limitations in processes or technology that are making it harder for employees to do their jobs. Informed by that insight, it is possible to revise security posture to streamline employee productivity while improving security.
This modern approach not only brings in business efficiency and Cybersecurity effectiveness, but also can help Organizations’ to adopt cloud technologies and embrace the concept of Enterprise of Things (this is an enterprise adoption of Internet of Things) much faster than other organization which tend to shy away because security and compliance concerns stand in the way of deploying innovative technologies."
The bottom line is; planning Cybersecurity with a business-centric approach can lead to concrete gains in productivity, revenue, and customer retention. If your organization is among the majority of firms that don’t, now would be a great time to start.
Disclaimer: The views and opinions expressed in the article are my own and it in no capacity represents the views of my current or previous employer(s).
E2E Delivery management for a leading telecom operator in Qatar
8 年Very well-articulated. The article correctly describes the pain areas of and gaps in current IT security. Traditional approach of implementing standard security tool without customizing as per organization’s need is not going to work in the present situation where the applications are mostly reachable to all and user behaviors are dynamic and random. One good practice to Security compliance of an organization could be zoning the systems based on the type of the users (admin, business, end user, quality etc.) and apply applicable security policies based on zones. There are many other ways. It is important to give time and effort on designing the security policy before implementing the same.
Bilingual Cybersecurity Specialist with a knack for Problem-Solving| Expert in Governance, Risk & Compliance | Effective Communicator and Passionate Mentor | Proficient in AI & Cloud Security | Soft Skills Enthusiast
8 年Good article Shaik Abdulkhader. To reach this level, it is also important that at the operational and tactical levels a convergence occurs. In fact, we leave in organisations where the risk is common across the board among Physical security, logical Security, audit and compliance teams just to name a few. At the technology level, we have the IP which has decreased the border in technology world. It is however, disappointing to see how it is difficult for security or "risk management" functions, to work together. If these functions can't work together, they just can't support the business. Convergence needs to be achieved at some point to reach the business-centric approach to security. Thanks again for this great summary!
Nice article Shaik Abdulkhader. For the second category where you referring to business partners or technology partners? Or both ??? I suppose the challenge with tech partners is that their input would almost always lean towards a security centric approach which is what should be avoided. Perhaps this is what makes the role of Security 'Sage' in the business justified. Capable of fully understanding the business operations and interests as well as being a guru in security application and adoption.
Lead Operations at Edward Consulting India
8 年// Cyber security threats have no regard for compliance objectives & regulatory requirements // Well said. Hence the approach has to be a balanced one - that is - while it is necessary not to compromise on the compliance, it is absolutely necessary to have a pragmatic approach towards the threats. Regrettably, whistle blowing & innovative ideas are suppressed in Corporate companies citing compliance & regulation. Not only the Boards, CIOs & CISOs, I think some informal chats can be made (without compromising confidentiality) with outsiders e.g. forums. This may give some better insights & ideas to understand the threats. Also, discussion has to be made with the very bottom level users doing the day-to-day work. This will help to understand the REAL security scenario so that counter measures can be effectively planned ( Example - An IT technician silently enabling USB for his pal / giving direct access to internet bypassing proxies & firewalls, am user PC which is running for years without any protection installed. ) Many a times, though those at the top plan sophisticated IT security, it gets diluted down the line and thus it is necessary to know the ground reality. Hence, it is necessary for those at the helm of IT security to roll up their sleeves and make their hands dirty - NOT always but every now and then - instead of confining themselves to C-suites and just depending on reports sent by their team members about the compliance by end users.
Cyber Security and Compliance | CISSP, GCLD, ISO 42001:2023 AIMS LI and LA, ISO 27001:2013 LA
8 年I totally agree on business efficiency but how business-centric approach gonna bring cybersecurity effectiveness? because we are giving up many processes in the name of lean methodologies like DevOps