Analysis: Intelligence key to security business case
Information security is becoming an increasingly important part of any business as the value of information assets continually grow, as do the threats from cyber crime and espionage.
Information security is becoming an increasingly important part of any business as the value of information assets continually grow, as do the threats from cyber crime and espionage.
But in many businesses, information security is still not well integrated with the rest of the business, consequently either inhibiting the business or exposing it to high levels of risk.
Many businesses are struggling to find a way of turning that around, but what is the key to solving this common conundrum?
Intelligence is key to security
The answer is simple, logical, but perhaps not as obvious as it should be, according to a panel of security professionals who briefed businesses at an event hosted in London by BT's IT services division, BT Engage IT.
Security intelligence, they said, is crucial to IT security enabling business growth and chief information security officers (CISOs) winning a place at the top table in business.
At SAB Miller, CISO Mark Brown told BT Engage IT customers that he has used intelligence about the threat horizon to bridge the gap between IT security and business.
This security intelligence has made IT security part of the business by helping to shape business strategy and contribute to the bottom line, he said.
Intelligence is key to security, said Claire Davies, a security consultant who is just coming to the end of 22 years' service in UK military intelligence.
"Organisations can't expect security procedures and technological controls alone to do the trick. They have to look forward so they can take up an offensive rather than a defence stance," Davies said.
Security intelligence, said Brown, is all about getting on the front foot; but to do this security professionals need to take a long-term view and regularly review their security strategy in the light of intelligence gathered from security threat horizon reports and other sources.
"Too many CISOs have a whack-a-mole mentality. But they have lost the battle if they fail to look at what is potentially coming down the road," he said.
IT security operations teams can focus on fire-fighting, he said, while regional should be looking at security in the next 12 to 24 months, leaving CISOs to think strategically about the next 24 to 60 months.
Contribution to security strategy
According to Brown, SAB Miller sees at least a six-fold return on investment in its membership of the Information Security Forum (ISF), which produces an annual threat horizon report, which consistently achieves an accuracy rate of around 70%.
Such intelligence, he said, provides a valuable way of reviewing an organisation's information security strategy and identifying what needs to change.
But how does this enable integration of information security with the rest of the business?
Information security officers not only need intelligence about current, new and emerging threats, they also have to have an intimate knowledge of the business they support, said Davies.
"Decisions made in the boardroom can have an effect on security. Sony's decision to prosecute hacker George Hotz, for example, led to one of the biggest data breaches in history," she said.
According to Davies, linking information security officers with the business conversation is vital. "Security needs to know what is going on in the boardroom," she said.
By having an intimate understanding of the business, information security officers are better equipped to protect and support the business as well as have a meaningful conversation about risk with members of the board.
"It has never before been so critical for security professionals to have a complete understanding of the business they support and ensure the IT security strategy is intelligence-led," said Davies.
Security should follow business to risk
Information security professionals are generally very poor at speaking the language of risk, said Brown, but that is the language of business because business makes profit by taking risk.
"Security professionals are typically risk averse, but by enabling new opportunities, backed up by an awareness of the risk and a strategy, to defend against threats and mitigate those risks, they can be seen as supporting the business," he said.
Information security officers should proactively engage the business risk department to understand how the business understands, measures, tolerates and reports risk, said Mark Chaplin, principal research analyst at the Information Security Forum, ISF.
This will enable them to present information security risks in a way that the rest of the business will understand and will make it easier to put it into the context of business risk, he said.
"Use multiple sources of information in assessing the information security risk, including peers, intelligence feeds, suppliers, and the government's centre for the protection of national infrastructure (CPNI), and validate your information by engaging with other risk-related function in the business," said Chaplin.
Information security officers can then use just three or four pieces of validated intelligence to explain the risk and make a business case for investment in term of how the risk will be managed, how it will affect governance of information security, and how it will help the organisation comply with internal or external regulatory requirements.
CISOs must prove value of security
Brown recommends security professionals document what they are doing for the business; how they are securing the business with threat controls balanced against risk; what success will look like; and what investments or changes need to be made.
By being part of the business conversation, information security officers can more easily make changes wherever necessary to reduce risk, said Davies, which often can be done by simply improving procedures or changing the attitude to security of people in the organisation.
Educating people about the reasons behind security procedures improves adherence to them, she said, and can save a lot of time doing unnecessary breach investigations.
Chaplin said information security officers should also establish a dialogue with senior executives about the business strategy and objectives.
In this way, he said, information security professionals will be able to identify opportunities for security investments to not only reduce risk, but also to add value to the business through improving efficiency or identifying a new product or service that reduces risk that also brings competitive advantage, for example.
Golden opportunity in consumerisation
Consumerisation of IT is commonly seen as a security risk, but Brown sees the trend of introducing consumer devices into the enterprise as a "once-in-a generation opportunity" for security professionals to turn things around.
"The demand for things like iPads in the enterprise is great, as it enables security to do things like data leakage prevention (DLP) for which there was no business case previously," he said.
Information security professionals should learn to articulate these investments in terms of risk, said Brown, by telling the board that if they don't do X to secure operations, it could cost Y.
Security intelligence, combined with relationships with senior executives founded on a common understanding of risk, has delivered success for SAB Miller - and the approach is strongly supported by the ISF and a veteran of UK military intelligence.