I had a lot of fun participating in a panel discussion with fellow CISOs exploring the link between cyber security and business strategy. It’s a subject that is very close to my heart and I don’t think it gets enough attention.
In the course of the debate we covered a number of topics, ranging from leveraging KPIs and metrics to aligning with the Board’s risk appetite. We didn’t always agree on everything but I believe that made the conversation more interesting.
As an added bonus, my book The Psychology of Information Security was highlighted as an example of things to consider while tackling this challenge and to improve communication.
You can watch the recording on BrightTalk.
In this blog, I would like to dig deeper and talk about how you actually develop a security strategy with some illustrative examples. You can then use these to further refine your security architecture.
As always, we would start with a Why. Why is security important for your business? Well, you will need to help your stakeholders understand that security can help build customer trust and become a brand differentiator.
And how can this be achieved? To keep this simple, let’s zoom in on three priorities:
- Support the business. Embed security into the business by ensuring alignment to business strategy
- Risk-based approach. Pragmatic and prioritised security controls, advice, guidance and information security expertise for the business
- Focus. Centre on protecting the most important assets and understanding the threats
The aim could be to arrive to a state where security underpins all products and services to offer customers a frictionless experience.
Talking to your business stakeholders will help you understand your company’s wider goals and strategy. Let’s imagine for a second that these conversations revealed that your organisation, like many others, ultimately want to grow their revenue. They also identified that the way they are going to grow their revenue is through increasing sales, building customer trust, improving products and services and scaling operations to better meet customers’ needs.
Vulnerable product, misconfigured infrastructure, insecure operations, inadequate compliance regime and inability to withstand incidents all prevent the business from achieving its objectives.
You can now prioritise your security activities to align with these objectives, for example by grouping them into product, infrastructure and people security, as well as wider compliance and resilience objectives.
Remember, the above is just an indicative timeline. The reality will very much depend on your organisation’s priorities, maturity and resource availability.
What should you do in your 100 days in a new company? In short, you should find a way to support the business and present it in a way that is understood and accepted. Communicate broadly and often to ensure constant alignment. Measure your progress in a meaningful way to demonstrate the value to the business.
- Get buy in
Validate top assets, threats and risks. Obtain leadership support on next steps.
- Baseline where you are
Understand business requirements, technological and regulatory landscape. Perform interviews and review existing product and documentation.
- Work out what needs to be done
Recommend security improvements to address risks and align with business strategic priorities.
- Make it happen
Preparing people, establishing good practice and implementing the right technologies and processes.
I’ve recently been involved in a number of digital transformation projects and wanted to share some lessons learned in this blog.
Firstly, there’s no one-size-fits-all approach to successful digital transformation, so it always helps to start with a why. For instance, why is the company considering digitalisation? Perhaps the competitive landscape has changed or some of the existing business models are becoming less relevant in light of new technological trends.
Regardless of the reasons, I would argue that no special digital strategy needs to be developed. Rather, we need to to see how digitalisation supports the overall business strategy, and how digital trends affect your company.
While strategising in the boardroom helps, keeping customers in mind is paramount. Rather than simply digitising existing business processes (such as going paperless), it’s useful to think about them as multiple customer journeys to maximise the value for the consumer.
Design thinking is a good method to use when approaching this, as it helps to create a customer-centric solution. It begins with a deep understanding of customer problems and iterates through prototyping, testing and continuous feedback. This process also aligns well with modern iterative frameworks for software development and broader agile working.
Learning from feedback on your minimal viable product (MVP) helps to refine your initial assumptions and adjust the approach where necessary.
For example, adopting and combining technology like Cloud, Big Data and Machine Learning can help improve the decision-making process in one department, so it can then be adopted by the rest of the enterprise once the business benefits have been validated.
Having a clear data architecture is key in such transformation. It’s rarely about just building a mobile app, but about making better business decisions through effective use of data. Therefore, before embarking on any data analytics initiative, it’s imperative to be clear on why the data is being collected and what it’s going to be used for.
While working with a Power and Utilities company, I helped them securely combine Internet of Things devices and Cloud infrastructure to connect assets to the grid, analyse consumption data to predict and respond to demand and automate inventory management. As outlined above, it started with a relatively small pilot and quickly scaled up across the enterprise.
Yes, traditional companies might not be as nimble as startups, but they have other advantages: assets and data are two obvious ones. Digitalisation can help make this data actionable to better service the customers. To enable this, such companies should seek out not only opportunities to digitise their core functions, but also find new growth areas. If some of the capabilities are missing, they can be acquired by interacting with other members of the ecosystems though partnerships or acquisitions.
It’s not all about technology, however. People play a key role in digital transformation. And I’m not only talking about the customers. Employees in your organisation might have to adopt new ways of working and develop new skills to keep up with the pace of change. Recruitment requirements and models might have to adjust accordingly too.
If you would like to learn more, there’s a free online course on digital transformation developed by BCG in collaboration with the University of Virginia that provides a good summary of current technology trends impacting businesses. Feel free to jump straight to week 4 for the last few modules discussing their framework and some case studies if you are after more practical advice.
Image by John Pastor.
When determining the level of maturity of a security function, I focus on the following areas and try to answer these questions:
- Is security strategy aligned with business strategy (including vision and mission)?
- Is it documented and communicated?
- Is it supported by the leadership?
- Is there a guiding policy in place to achieve set objectives?
- Have accountable individuals been identified?
- Have risk management practices been established?
- Have audit and assurance practices been established?
- Have performance measurement practices been established (including KPI definition)?
- Have global and regional interfaces been defined?
- Has team structure and funding been agreed?