The connection between information security personnel with senior corporate executives is one of today’s major issues. For effective development, information security must protect the company, but in fact, the business does not see or value the jobs that information security handles, and information security service professionals lack sufficient knowledge of the business operations they safeguard.
Information security, on the one hand, has long become an integral part of the activities of any enterprise, and on the other hand, it still suffers from the residual principle of attention to it from business management. However, even if a business process does not directly generate cash flows, this does not mean that it does not contribute to business growth.
Information Security and Competitiveness
Leading companies consider competitiveness as the ability of an enterprise in given conditions to achieve business indicators higher than those of competitors. And three main groups of factors were identified that help an organization improve business performance:
- risk reduction;
- creating added value;
- cost reduction.
Thus, we can make a bold assumption that by reducing the level of risk, information security contributes to the growth of the business of an enterprise. Information security specialists should always remember that no matter what we think about ourselves, the business will always pay paramount attention exclusively to business risks. Therefore, it is difficult to prove to businesses that the risks of cyber threats are as important as the risks of access to credit or the risks of a slow economic recovery. Risks associated with the implementation of information security threats, or IT risks, rarely make it into the TOP-10 business risks (out of several dozen industries, only three such risks made it into the TOP-10). These were telecoms, banks, and the development of new technologies. In these industries, I think there are no particular problems with convincing businesses to reduce IT risks and take cybersecurity measures. In all other industries, security professionals will most often have to prove the connection between cyber threats and business damage. And such measures as demonstrating the presence of vulnerabilities and the likelihood of possible attacks can only affect the level of managers of the same IT or information security, and it will not be easy to prove to a top manager why he has not suffered damage from cyber threats for ten years, and now it will suddenly happen. In any case, you should try to show the impact of modern information security challenges on the organization’s business risks as much as possible, if there is an enterprise risk map, or on an average, using the example of the TOP-10 business risks of the industry, if risk management is not formalized. And do not be afraid that it is not always possible to apply quantitative methods.
If the assessment is qualitative, this does not mean that it does not give an objective picture. For example, if we see rain when we leave the house, we do not calculate the amount of water that can penetrate a body, the percentage decrease in its temperature and the number of losses in dollars from possible interoperability, as well as the probability ratio of all this – we just take an umbrella. And ignorance of the exact indicators does not prevent us from living in this situation.
Such questions, of course, need to be detailed: what do you mean? In any case, the CEO is responsible for all risks. And then you can argue for a long time who should be responsible – the IT director or the security service – or a specialized unit should be created. It all depends on the scale of the enterprise and the characteristics of its type of activity.
Manufacturers of security equipment, of course, are primarily interested in the sale of their products, but it is impossible to say that they only take fright. In this way, you will not last long in the market. In the enterprise segment, such numbers are generally fraught because the buyer, as a rule, is very well versed in the issue. In addition, he can order an examination from a competing organization to check for objectivity. In the consumer segment, it may be possible to promote your products with horror stories, but the market is still at the maturation stage, and consumers do not really bother with security (there is an antivirus – and that’s fine). Of course, in relations between producers and consumers in the industry, maybe not everything is always smooth, but so far, nevertheless, relations lie in the plane of communication of equal professionals on the essence of the issue, and not “building positive relations with the brand” and another marketing background from the life of consumer markets.
How to Reduce Risk in Business
The requirements of regulators in this area have always been, are, and will always be, and the market is not the most regulated. These are world practices. In addition, the trends of recent years are the desire of state structures (mainly power ones) to strengthen the regulation of the private sector in the field of information security. And this is in the US and Europe. Another thing is how to do it. Over the past few years, virtual data rooms have been actively used. If it is interesting for you, read more about VDR.