When it comes to protecting sensitive or regulated data and mitigating the risks of a data breach, having the right technology and implementing it in the right way are vital pieces of the puzzle—but by no means the only pieces of the puzzle. Businesses must find ways to balance their security needs with their business goals before they can determine which technologies and implementations will work for them. For that reason, security leadership is a must, as CipherCloud Chief Trust Officer Bob West told us in our last interview.
During that interview, Bob detailed his advice for ensuring that organizations’ security initiatives fit their business needs. Ultimately, it boils down to two key pieces: governance structure and the way the security conversation is framed.
1. Governance structure
Bob West: When it comes to security leadership, creating the right governance structure, having the right participation at the right level in the organization, and having representation from the security, general counsel, compliance and technology. Human Resources should be part of the governance structure as well, because as an enterprise, there are policy decisions that need to be made and human resources can be one of the key organizations that enforces policy. There are legal issues that need to be addressed; in those cases, both the general counsel and compliance need to be part of the conversation. Finally you get to ask where the business is heading. Without involving the business, it is very difficult to understand how information security can help the company achieve its business objectives.
2. FRAMING THE CONVERSATION
Bob West: Security’s mission is to make sure that the risk level is minimized to a level that makes sense for the business. If the right dialogue is going on from a security leadership perspective, the business is engaged, and if it’s executed properly, then security is going to be aligned with both business and technology strategy.
What are the top 3 or the top 5 things that I need to achieve from a basic business perspective? What is the technology that’s required to support the business to get there? At a foundational level, that’s where the conversation needs to start. And once you have the right participants, then you can start making policy decisions given your profile of business. It’s about enabling the business—balancing risks against expenses. What are the controls that can minimize that risk without disproportionate expense?
Once the governance structure is in place and the security and business conversation correctly framed, Bob said, “then you can start making decisions about security architecture, how it fits into the business and technology architecture, and what the tools are that are needed to support that environment.” And from there, you can develop a security strategy that creates a resilient, secure organization.
How does your organization handle the tricky balance between security needs and business goals? Tell us your experiences in the comments.