This is my first column for Security. I am privileged to write this monthly column and want to establish what I’d like to see us accomplish.
Simply, a dialogue. Please take some time to share your thoughts and comments, as I do here. We’re all never always right, and we’re all never always wrong. It’s the dialogue that helps cultivate thoughts and we’ll all be better off for sharing. There is always a need for open and productive dialogue, especially now.
We are in a transformative time with security. The security industry is no different than any other industrial segment dealing with these changes. We’re dealing with new threats from cyber, IoT, the use of robots and automation that can displace people and processes, yet invite new risks to enterprises – risks that can be more deeply disruptive to enterprises than in the past. We’re asked to know more, be situationally aware 24/7 and anticipate unforeseen risks… of course all with fewer resources.
Transformation is inevitable. In my current role I get to see a lot of different programs and advise on security’s strategic direction. I have found some folks who tend to hold their ground and justify their current programs by pointing to “best practice” while others are ready and willing to transform. Sure it’s not easy. We each have bosses, and historical context, budgets and commitments... much of it driven by “best practice.” Each culture is so different, with the ability to inhibit or demand change. The attributes that stand out when I see a willingness for transformation is a recognition that change is occurring and, second, a dedication to engage in it. I don’t think it’s that simple, but it’s a good starting point.
Throughout these columns, I’d like to keep the conversation strategic. Security has a strategic place in every enterprise and in every career. I’m hoping these articles relate to all practitioners, whether you’re practicing cybersecurity, physical security, business continuity, fraud, investigations, workplace violence, etc. We’ll also try and keep this relevant and applicable to everyone in the industry: CSO, CISO, transitioning into the security world, just graduating and starting a new career, an integrator or a manufacturer.
My belief is that the security industry has been broken into silos because the industry hasn’t defined its role and that others have defined the role of security for us based on the tasks we are assigned. The tasks are distinct from the role security plays. Security’s role is to guide the business through a security risk management decision-making process.
It’s the common ground that I think we can have some amazing dialogue around – issues like governance, reporting, vulnerabilities vs. risks, building risk informed processes, the output of security, defining success, and the application to department and career development. I am a huge fan of Enterprise Security Risk Management (ESRM) and will talk about these concepts. It defines security’s role and provides strategic direction.
I look forward to our dialogue.