The business-security disconnect that won't die

For years businesses have talked about how important security is to their customers and to the success of their business. However, with so many breaches in so many different industries, it's tough to take organizations at their word.

For years, many security managers and chief information security officers have talked about how the "business" side of the house doesn't understand security, or take what the IT security team has to say about risk seriously.

Somewhere, clearly, there is a disconnect.

Related: Talk the walk

"The IT security profession is always looking for ways to get into the requirements and design phases of a new application or initiative," says the security manager at a large regional health care services provider. "But we're often not brought to the table until the actual initiation of the project," he says. "Unfortunately, by then, there's little we can do because the architectural standards are gospel in the requirements. Also, there's little that can be done at that stage to improve security design without increasing costs tremendously."

Our discussions with CISOs, operations team members and other IT members support the security manager's assertions: security tends to remain consistently a step behind business operations in many organizations. "Often, when we bring IT security into the system design functions, all we hear from security are roadblocks about why things can't be done securely," says the enterprise architect at a global engineering services firm. "They're often overly technical, way too early in the discussion, when talking to the business side," he says.

Related: The new CISO: How the role has changed in five years

And there lies the all-too-common friction between business managers, IT operations, and IT security. The disconnect forces security groups to take the hapless position of having to "bolt on" security controls well after a new initiative is underway. That's a much harder and more expensive thing to do. "The earlier we are part of the discussion, the better and more secure the initiative," he says.

Other security managers cite times when application development teams purposefully shunned security guidance for as long as possible, in an attempt to push their guidance so late into the process that it becomes irrelevant. Few IT security professionals talk about positive relations among security, development, and other business groups within the early stages of an architectural discussion.

Can't beat 'em, join 'emThe challenge for security teams is to become an integral part of the discussion. "Before you talk about technical specifications or the risks of a new initiative you need to have something else in place first," says Mike Rothman, analyst with the security research firm Securosis. "That 'something else' that must be in place is 'credibility.' It all starts with building relationships, getting face time with business managers."

Brian Honan, founder of Dublin, Ireland-based information security consultancy BH Consulting and founder and lead of Ireland's first Computer Emergency Response Team, agrees: "You want to have steady contact with the business and establish those relationships," Honan says. "So when the time comes, you are not some strange guy who suddenly appears from the back office that nobody has seen before."

That credibility and rapport goes a long way when it comes to getting oneself heard at critical moments. "You also have to consider yourself as working within the industry that your company operates -- and not just as a security person," Honan adds. "Only this way can you build a risk profile that the company needs, and speak in ways that the business leaders understand."

Also, one of the most common ways security professionals rifle their good standing is by persistently throwing up roadblocks, and claiming initiatives can't be done because of the risks. "Explain to business leadership the risks that do exist with projects, and the costs to mitigate those risks," says Honan. "Let the business decide if they are risks it wants to take, avoid completely, or mitigate."

"It's about saying "Yes, but" instead of saying "no freaking way," adds Rothman. Risks need to be articulated to the business so that they understand the benefits of deploying an application or platform a certain way, verses what could go wrong. "Show them the real-world risks of doing it in an insecure way. Use clippings and recent examples or demonstrations to make your point," says Rothman. "The important thing is to talk in business terms, not in security jargon," he says.

"If you are just throwing up roadblocks to people, the organization will find ways to go around you," Rothman says. "If you want to be in the discussion early -- when you can affect real security change on the final outcome -- you have to relate to the business first, and then explain risk on their terms," he says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting lots of security jargon on Twitter @georgevhulme.

Read more about executive communication in CSOonline's Executive Communication section.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementSecurosissecuritysecurity jargonIT SecuritySecurity Leadershipbusiness managementMike Rothmanexecutive communicationSecurity Leadership | Executive Communication

More about Computer Emergency Response Team

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place