As business changes, so does – or so should – security. The direction of business can have significant consequences for security, both internally – in terms of influence, funding and organizational structure – and externally – in new threats, new risk, new mitigation requirements.
Are you watching business trends and thinking about how they should impact security and your strategies to mitigate risk?
Problem identified and communicated, plan created, funds provided, problem resolved. This is the lifecycle senior business leaders often expect – and prefer – organizational challenges to have. It’s the way decisions are made and issues addressed for many functions of the business.
One of the many difficult tasks in security leadership is showing senior management and other business leaders exactly how, where, and how much security investments positively impact the bottom line (assuming, that is, that security’s impact is positive).
It is five years since the publication of Nassim Nicholas Taleb’s book The Black Swan. In the book, Taleb introduces the concept of Black Swan events, which he characterizes as events that are 1) rare; 2) extremely impactful and 3) often endowed by people – after the fact – with elements of predictability. Taleb argued that uncertainty cannot be tamed, in his words, and that it is foolish to attempt to tame it.
Risk appetite isn’t a term that comes up a lot in the security trade media. This is interesting, because understanding risk appetite is a crucial factor in developing acceptable security programs, communicating value, and aligning the function with the goals of the business — all of which are talked about in security circles all the time. So what is risk appetite?
Municipal governments present a challenging atmosphere for security. There’s the potential for leadership turnover at each election, and there are “politics,” which may manifest in strained relationships and difficulty accomplishing goals. Procurement rules and bureaucratic red tape can slow down even simple processes in some city governments, and then there are the challenges of zero-balance budgets.
If security continues to mature as a business function, senior management will likely ask for a set of metrics to measure performance. Security leaders should prepare meaningful metrics that inform management and improve security effectiveness.
Security leaders don’t have time. The best ones find time, or make time, for critical or strategic tasks that have a long-range payoff, but they often struggle to fit more into a workday that already stretches from dawn to dark.
Next month will mark the 100th anniversary of the sinking of the Titanic, and plans abound to memorialize or capitalize on the tragedy, including the re-release of the 1997 movie Titanic in 3D, the production of a commemorative coin, and – believe it or not – a series of Titanic memorial cruises. Some members of the security community recently chose to remember the event in a more constructive way.
In last month’s column, we argued that the next generation of security leaders will be challenged more than previous leaders to run their function as a business; they will be expected to align with the organization and build value through security. As they work toward these goals, they will also be faced with new risks, some of which have the potential to escalate at a stunning pace.
For the next generation of enterprise security leaders, is there a clear path forward to success? Enterprise security leaders discuss mentorships, education, certifications and the skills new CSOs and CISOs will need to succeed in their evolving roles and bring value to the business. But the problem is: with existing security leadership roles varying so widely, is the development of a uniform skill set even possible?