Cherries - stock.adobe.com

Infosec pros urged to demonstrate value to business

Information security professionals have been urged to help business understand the value of what they do and the importance of security and privacy

The tech and related industries are failing to put privacy and security controls at the heart of everything they do, according to Raj Samani, chief scientist and fellow at McAfee.

“The security industry has a central role to play in this, but quite frankly, we are not doing a good enough job,” he told attendees of the Isaca CSX Europe 2017 conference in London.

Information security professionals, he said, are the most important people for any organisation in the 21st century because of the way businesses are evolving in the digital era, with many using consumers’ personal data for monetary gain through new business models.

“And yet we are still largely unable to articulate the value we bring to the business,” said Samani. “So my ask of all of you is to change, evolve and adapt the way the information security industry works.

“We need to change the way we articulate our value,” he said. “We need to be able to demonstrate value and fundamentally how we add to the business’s bottom line.”

As an example, Samani said the security team at a petro-chemical company was able to boost its oil extraction capacity from 400,000 to one million barrels a day through creating the infrastructure to support a “digital oilfield” concept that delivered a return on investment in three months.

“As a result, the chief information security officer behind the project was able to get a much more senior job elsewhere earning three times as much, and is now recognised as the technology expert in oil and gas, all because he was able to add 150% value to the bottom line of his company,” he said.

Read more about security as a business enabler

The security department under this CISO’s leadership, he said, was no longer seen as a blocker to the business, but a business enabler because it introduced new technology that revolutionised the way the industry works.

“Using fear, uncertainty and doubt, or the fines under the EU’s GDPR [General Data Protection Regulation] to persuade business of the need to improve cyber security, is unacceptable.

“And as an industry, we need to start working together,” he said. “When I talk about security and privacy needing to be the core of all we do. I absolutely mean that.”

Although the perceived value of personal data is decreasing, because people will give it away for very little in return, the real value of personal data is increasing.

“This is evidenced in things like the fact Facebook acquired WhatsApp for $19bn when its profits were still at zero, but this puts the value of each user’s data at around $42,” said Samani. “I think there are many more business models on the way that will make huge sums of money by leveraging data and new security models,” he said.

While self driving cars and the like are an “exciting” prospect, Samani said: “And yet we are failing to put in the security and privacy controls at the core of all we do.”

Society as a whole, he said, still has a long way to go, but information security has a key role to play and has to do more to ensure this goal is achieved.

Read more on IT security