The way of operationally approaching ICT security discussions with executives has become obsolete. Operational means acting on threats, vulnerabilities, risks and audits as they come and interacting with the organization with references to the details of the security issues. This style of approach is valid for smaller organizations but even for small organizations it can become quite overwhelming.
This style of approach can be considered bad because it is not valued in the organization. Executives of an organization doesn’t care what security issues are handled and how. They care that the security is good and it doesn’t affect the business. New security standards can be expensive and difficult to manage. Organizations usually think that these are just something the security people invent as they can’t see the profit in them. Operational approach doesn’t reveal the true purpose of why these changes must be made.
Strategic approach can be seen more as an co-operative way of handling ICT security within the organization. Strategic approach means that the security issues are identified and reported in relation to the assets they are supposed to protect. This kind of approach merges security to the business.
The key to approaching security on strategic way is to communicate within the organization how security issues are related to the business the organization does. Instead of talking about hacker codes and certificate names in strategic approach the security experts should be focusing on how the business benefits from these security related matters. The approach can be followed by working together and discussing how some ICT security related issue can be resolved within the organization.
The biggest problem of operational approach is that every security related matter is a problem. Strategic approach is a new perspective of looking at ICT security for the whole organization. It should make ICT security seen as a vital part of the organization, and not just stack of problems handled one by one.
Business case example
Organization XYZ has security issues every month. Most of the issues are non-updated software that has severe security issues in them. Hackers and other bad actors have caused multiple interruptions to the business of XYZ and it has began to affect negatively on their customer experience and overall happiness.
XYZ’s security team is dealing with the issues one by one and reporting the incidents and updated software to the managers as completed tasks. New standards and updates are coming weekly and security team has hard time finding the time to complete these issues. The organization doesn’t value the work of the security team because there seems to be more issues all the time and the required time and funds seems to be spent on wrong things because there’s still security issues all the time.
Some queries come from the software department who are in need of auditing systems and asking for guidance. The security team can only answer briefly with incomplete answers and usually says “no” to every inquiry about a new feature to come. Software development team also hides some of the security related matters and pieces of software from the security team as they don’t trust their expertise and doesn’t value their negative attitude and input to the inquiries.
XYZ’s security team has to change and especially change how the organization sees their value and input to the organization’s security matters, and how the organization sees their value inside the organization. The security team decides to try to change their approach from their old way of operation approach to more strategic approach.
They first start by changing how they report and discuess the security issues they have handled within the organization. They report them as not fixing a certain problem but more like ensuring that the business wasn’t affected by the this certain security issue.
Next they create an investment map that shows how the security matters have affected and will affect in the future to the business. The map has invest costs of and their value in possible lost revenue if these are not executed with information which parts of the organization this affects.
They change their approach to the software development and business by entering the business discussions and inserting security as a merged part of every business project. They’ll have dedicated security experts within software development teams and also make their way to the executive boards. They start the auditing processes of systems very early on and make less use of third party audit companies.
Organization XYZ still has some security issues but they have managed to tackle most of them. By integrating ICT security to the business and development endeavors the security team has established their value and place withing the organization.
Their change of approach has given the executives more visibility of the ICT security and even some new knowledge about the matter. The security team has a board member who translates many of the issues to the other executives. The ICT security map helps the team and the whole organization by having clear vision what things in security are important and which can be done on a later date.
The development teams has new trust for the security team and think security is part of the software development. They usually do security related issues before the security experts get a chance to notify them which means that the software development is interested to protect their software and has learned a lot.
In my opinion operational approach is something every organization should avoid because it’s not capable of handling security issues and the organization can’t get any valuable insight from that approach to help in decision making. Strategic approach is much better translating problems and the fact that security is a vital part of every business.
Strategic approach is something that requires a bit of work form the management of ICT security but it’s also something that pays off easily to the rest of the organization. Well structured ICT security within the organization is something that is known and valued throughout the organization, and that is also how ICT security works best and can affect the organization in the most positive ways.
This was the second assignment of ICT Security Basics.