Security: It’s not just about risks. It’s about business value


Posted on: Dec 17, 2015 by Abbas Shahim

The cyber threats landscape is evolving rapidly. What security challenges will companies have to face in the next five years? What’s the impact on organisations’ security and compliance management practices?

In terms of security, the truth is, companies find it more and more difficult to keep pace with technology acceleration. New digital platforms create new potential breaches as well as new opportunities. Processes are digitalized and back-office systems are opened that were never meant for today’s usages. The IT/OT convergence is accelerating, as we have highlighted in our Journey 2018 vision. In addition, we are living in a more and more intertwined world. Organizations cannot operate in isolation any more. They are parts of complex digital ecosystems and business chains that evolve, sometimes in near-real time. So they depend on the security of others.

As a result, security is becoming a more complex and sensitive challenge. Facing security threats is a never-ending journey, and the most pressing challenge for the CISOs we support to meet the 2015-2020 challenges is to dynamically keep pace with this increasing complexity. That means: to prepare for the unknown.

What impact on security and compliance management practices and organizations in the years to come?

For many years, IT and business have been considered as being on parallel but somehow separate tracks. IT mostly reinforced operational excellence, and was considered as purely technological. Business was supposed to take care of strategic issues such as business risk or compliance.

Today, this separation no longer makes sense. IT is business and all business is digitalized.

Yet, IT and business security usually continue to stand on two separate tracks in most organizations, even if some pioneer companies have begun to unify them. When you assess risks, you must take everything into account. You must not compartmentalize issues.

The good thing is, what works for risks also works for profits. Security doesn’t just avoid risks. It brings value. It creates confidence, as it can enable safer ways of doings things: secure mobility, seamless operations across partner ecosystems, new data-driven business models with the economy of data, etc. Some studies have already shown how a small difference in customer trust can translate into 20% increase in sales for online retailers. It’s the same in all other sectors. Trust can be a door opener.

More and more companies we work with begin to leverage that, notably in their privacy and compliance business-driven strategies. So, the secret of success is to evolve towards a truly business-driven security strategy. It goes well beyond security. It’s a matter of trust and compliance.

Security by design, seems obvious?

I really believe we are at a turnaround in security. During the last few decades, security has been essentially an afterthought. Companies designed things. And they thought afterwards of how to secure them, only then going to the CSO. That makes no sense any more. What’s needed to develop business-driven trust strategies is to incorporate security from the start. That means to implement security by design. Seems obvious? Yet so many corporations are still working the old way. Even some classic security certification approaches are operated like that.

In my view, generalization of security by design will be the major security move in the years to come, notably for the 2015–2020 period. CISOs are expecting this. They should be given the support from the C-Suite to manage it. It requires adapting the development process. It requires a change in operations too, with an end-to-end service assurance approach.

We deploy this kind of synergy for new DevOps processes for our customers. And we have identified several golden rules in our latest "Ready for Anything" white paper on Business-driven security: put security at the heart of your digital transformation strategy, think in ecosystem, and put customer trust first.

This calls for a more ‘holistic’ view, policy definition, strategy formulation, governance structure, security management and forensic approaches which should be transparent and auditable as well. This requires of course dedicated methodologies, tools and scorecards. But, above all, it requires a dual business and technology expertise. In each all verticals. And also across verticals to share best practices. In today’s digital world, frontiers blur. Telcos must learn from banks, public from retail, manufacturing from utilities. And vice-versa. This will be the condition to foresee future risks and integrate security from the start.

 

Share this blog article


About Abbas Shahim

Business & Management Consultant
Abbas Shahim is partner at Atos Consulting where he heads the international GRC practice. He is also full professor of IT Auditing and GRC at the VU University Amsterdam.

Follow or contact Abbas