You’ve just been hired to lead the security program of a prominent multinational organization. You’re provided a seasoned team and budget, but you can’t help looking around and asking yourself, “How will I possibly protect every asset of this company, every day, against every threat, globally?” After all, this is the expectation of most organizations, their customers and shareholders, as well as regulators and lawmakers. In my experience, one of the top challenges security leaders face is trying to optimize a modest security budget to protect a highly complex and ever-expanding organizational attack surface. In fact, Accenture found that 69% of security professionals say staying ahead of attackers is a constant battle and the cost is unsustainable. For most, this challenge is extremely discouraging. However, success is not necessarily promised to those with resources – it’s more about how resourceful you can be.
As organizations worldwide digitally transform at a breakneck pace, the stakes are increasing for cybersecurity programs. Cyberattacks no longer just take down websites and internal email. They can disrupt the availability of every revenue-generating digital business process, threatening the very existence of many organizations. With this heightened risk, organizations must shift from a prevention-first mindset to one that balances aggressive prevention measures with a keen focus on enabling efficient consequence management. This shouldn’t be read as a response-only strategy, but it does mean:
- Designing business processes to minimize single points of failure and reduce sensitivity to technology and data latency, recognizing that technology and data risk is extremely high in today’s environment.
- Focusing asset protection programs disproportionately on the assets that underpin the most critical business processes or present the greatest risk.
- Architecting technology to anticipate and recover from persistent, sophisticated attacks, as the “zero trust” approach suggests.
- Establishing an organizational culture that acknowledges, anticipates, accepts and thrives in a pervasive threat environment.
Most cybersecurity leaders today only focus on, or are limited to focusing on, the third of these four items. Many are aggressively pursuing zero trust related modernization programs to increase the technology resilience of their organization’s systems and networks. However, the other three strategic imperatives are not achieved due to a lack of organizational knowledge, access, influence or governance.
The same can be said for physical security leaders, who likely do their best to focus on the second item, but may not understand the interdependency between an organization’s physical and digital assets. Unless a building is labeled as a data center, they may be unlikely to protect those physical assets that are most critical to their organization’s digital operations.
All security programs, both digital and physical, struggle to achieve the fourth item, limited by their lack of business access and influence. So, how do security organizations move from being security-centric to business-centric? The journey starts by taking a converged approach.
Implementing a converged security organization is perhaps one of the most resourceful and beneficial business decisions an organization can make when seeking to enhance security risk management. In this era of heightened consequences and sophisticated security threats, the need for integration between siloed security and risk management teams is imperative. The need for collaboration between those two teams and the business is equally imperative.
In my role as the Chief Security Officer of Dell Technologies, I oversee a converged organization with responsibility for physical security, cybersecurity, product security, privacy and enterprise resiliency programs, including business continuity, disaster recovery and crisis management. As discussed in a recent article, organizations that treat different aspects of security – such as physical and cybersecurity – as separate endeavors, can unintentionally undermine one area and in turn, weaken both areas. With a converged organization, the goal is to bring those once-separate entities together in a more impactful manner. I’ve seen convergence lead to greater effectiveness in corporate risk management practices. But, the benefits don’t stop there. It also increases financial and operational efficiency, improves stakeholder communications and strengthens customer trust.
Over the course of this series, I will walk you through how security, privacy and resiliency teams with seemingly different capabilities and goals can work together to advance one another’s priorities, all while marching towards one common goal – greater organizational outcomes. First up, let’s discuss the benefits gained from converging enterprise resiliency and security programs.
The road less traveled – benefits of converging resiliency and security
While I’ve observed an increase in organizations merging cybersecurity and physical security programs, I’ve seen fewer organizations bring resiliency into the mix, despite it being potentially more important. In fact, an ASIS study found that only 19% of organizations converged cybersecurity, physical security and business continuity into a single department.
In my experience, converging resiliency programs with all security programs enables organizations to consistently prepare for and respond to any security incident or crisis – natural disaster, global pandemic or cyberattack – with a high degree of resiliency. More importantly, converging these programs empowers security organizations to achieve the strategic imperatives mentioned earlier.
Now, let’s look at some of the more specific benefits:
Business continuity programs help prioritize security resources
As discussed earlier, one of the main challenges for security leaders is trying to find resourceful ways to adequately secure the breadth of a company’s assets, often with a less-than-ideal budget that limits implementing leading security practices across every asset. By converging business continuity, a core component of a resiliency program, with cybersecurity and physical security programs, security leaders can identify the most critical business processes and the digital and physical assets that underpin them. This in turn provides clear priorities for security focus and investment.
Non-converged security organizations generally prioritize their focus through the lens of regulatory and litigation risk, rather than having a deep understanding of business operational risk and its ties to revenue generation. For a physical security leader, this may look like prioritizing physical security resources in countries that have stronger regulatory oversight and more stringent fine structures, or those that contain the most employees. For a cybersecurity leader, it may mean focusing on databases that contain the most records of personal information, a costly data element to lose. While these approaches are not wrong, they are incomplete. In fact, the most critical business assets don’t often look like those most commonly prioritized by security. It requires a business lens to find the assets that the business depends upon to thrive, rather than focusing on the assets that might lead to a lawsuit if left unprotected. It means thinking about business risk more holistically.
Business continuity planners have perfected the art of applying a business lens to explore complex, interdependent business processes, some of which even sit with third parties. When organizations don’t continuity plan well, it isn’t until an incident strikes that they find most of their company’s revenue was dependent on an overlooked single point of failure.
However, business continuity alone is typically only looking for issues of availability. By converging resiliency and security programs, business impact assessments and security reviews can merge, resulting in more holistic assessments that consider both business and security risk across the full spectrum of availability, confidentiality and integrity issues. As a further sweetener, business stakeholders can have a single conversation with the converged risk program, reducing distractions that pull them from their primary business focus.
By integrating these two programs, converged security organizations can ensure their priorities are closely aligned with the business’ priorities. Whether it be digital assets, buildings or people, an organization’s most critical assets are clearly identified and traced to critical business processes through robust business continuity planning, then secured. Tying these programs together enables security leaders to protect what matters most, the most, which is the most important benefit of converging security and resiliency programs.
Security makes business continuity programs smarter
For the modern security professional, the only thing better than spotting a difficult-to-find critical business asset in need of protection is for a business to improve its processes and reduce the number of assets needing protection in the first place. By embedding security context into the continuity planning process, business continuity programs become smarter. With this knowledge, converged organizations can more effectively propose process engineering opportunities that optimize security budgets and reduce organizational risk. This is particularly true where the resiliency team has deeper access and insights to the supported organization than the security team.
Typically, business continuity planners are introduced to business processes and underlying assets only after they are in place, which means planners discover existing resiliency risks. Contrast that with modern security programs embedded in business and digital transformation projects from the beginning. By merging security and business continuity programs, the value proposition shifts from “smart discovery” of business process reengineering opportunities to one of resilient and secure business process engineering from the initial design point, helping organizations get it right the first time.
This type of value can extend from the most tactical processes to more strategic business initiatives, such as launching a new design center overseas. Converged security organizations can share a holistic, converged risk picture to inform business decision making. A typical converged risk assessment for such a project may consider historical storm patterns, geopolitical instability, national economic espionage, domestic terrorism, labor risk and so on. This holistic view results in better risk decisions and better business outcomes.
Security and crisis management go together like peanut butter and jelly
Crisis management is another core capability of resiliency programs. The benefit of converging crisis management and security programs is twofold. First, security is often the cause of the crisis. Historically, organizational crises would be a broad mix of mismanagement, natural, political, brand, labor and other issues. In the last year alone, the world has seen a dramatic rise in cyberattacks.
Second, this is the area where the culture of the two organizations is most closely aligned, allowing for low-friction integration and improvement. Crisis management professionals are accustomed to preparing for and managing through low-likelihood, high-impact events and facilitating critical decisions quickly, with imperfect information. If you ask a security leader what the motion of their organization looks like, you will likely get an identical answer. Leaders can unify and augment these skillsets and capabilities by bringing crisis management and security programs together. And, this is becoming more important in a world where consequence management – how capably a company responds when things go wrong – can be the difference between a glancing blow and a knockout.
Disaster recovery programs thrive when paired with security
Disaster recovery teams focus on identifying critical data and technology, and ensuring it is architected and tested to handle common continuity disruptions. In a mature resiliency program, this means close relationships between continuity planners and application owners. Often, however, resiliency programs struggle to gain deep access and influence within technology organizations, or the disaster recovery technology-centric arm of the program is challenged to integrate with the more business-centric continuity planning arm. A converged resiliency and security program eases these challenges.
Disaster recovery programs often sit within the technology organizations themselves, and in those cases, technology integration is not a challenge. However, these programs can sometimes struggle to maintain close access to the business organizations they support. In these cases, converging resiliency and physical security programs enables teams to leverage the strong business relationships and closer business access that physical security programs often have. By integrating these programs, physical security teams can create the inroads needed so disaster recovery programs can deliver the most value in a business-connected manner.
Conversely, for disaster recovery programs that sit within business or resiliency teams, they can often struggle to gain traction with an organization’s technical owners. In these cases, converging disaster recovery with a cybersecurity program can be a game changer. Cybersecurity core programs focus on application, database and system security, and have an existing engagement model with those the disaster recovery teams need to influence. By integrating with cybersecurity programs, disaster recovery teams can leverage existing processes and organizational relationships to accelerate their impact. The integration of these programs also provides a more efficient unified engagement model for the technology asset owners, creating overall efficiency for the organization.
Finally, the cause of disaster recovery events is increasingly cybersecurity related. Disaster recovery teams must adjust their architectures and programs to account for ransomware, destructive malware attacks and other evolving threats. The expertise needed to do this well rests with cybersecurity organizations who, once converged, are well positioned to help with this journey.
Security brings digital expertise to resiliency programs
Consider this: When a hurricane strikes, the location and severity of the storm’s eye depends on the time of day, the topography and numerous meteorological factors. It doesn’t target you specifically. Organizations are informed of the hurricane’s arrival days in advance. And, the organization is not the only victim of the hurricane, so external support is mobilized and resources are provided. Given all these factors, organizations infrequently experience the most severe possible outcomes. Now, consider a typical cyber crisis: When a ransomware attack strikes, it is without warning, usually targeting and impacting the most critical business assets and is designed to hit at the most inopportune time. Moreover, the victim is often blamed, which means outside help is scarce. Of course, organizations should continue planning for hurricanes, earthquakes, pandemics and other natural disasters, but the evolution of digital crises makes the resiliency threat landscape more complex. The results of these troubling trends: Cybercrime will have cost the world $6 trillion by the end of this year, up from $3 trillion in 2015. Natural disasters globally cost $84 billion in 2015.
Business continuity professionals have thrived for decades by helping their organizations predict and prepare for natural disasters and physical security incidents. To date, the best practice to prepare resilient data centers is to evaluate redundant electrical grid availability, historical weather patterns, earthquake trends and, most importantly, to confirm that the backup data center doesn’t reside within a certain physical distance of the primary data center. Cyber threats have added new challenges to this equation, as even two ideally positioned, geographically distanced, modern data centers often rely on the same underlying cyber systems and networks. It’s not uncommon to find ransomware attacks, which travel at the speed of light and aren’t bound by physical distance, devastating organizations when both primary and backup data centers are encrypted for ransom or, worse, deleted by destructive malware. This is only one example that highlights the new resiliency risks faced by the world’s recent dramatic increase in digital dependency and cyber threats. By converging cybersecurity and resiliency programs, organizations are better positioned to contend with this challenging new reality.
When two roads converge
Security threats are more sophisticated, persistent and numerous. Many organizations operating in this highly fragile environment are less resilient and more vulnerable to an expanding landscape of potential critical points of failure, in both their technology and their operations. Against this backdrop, it is imperative that security and resiliency teams come together to help their organizations successfully navigate. Ultimately, the organizations that converge their operations to manage a converged risk landscape will be the ones most likely to thrive today and overcome the inevitable crises of tomorrow.
Stay tuned for the next article in our series on security convergence, where we explore the benefits of converging product security and cybersecurity programs.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.