A few weeks ago, I returned from the European NG Security summit, held this year in Frankfurt. It was a successful summit with over 20 CISOs in attendance. There were a couple of things that really stood out for me. Cyber, (Security, Threats, or Crime) & Risk. Most of those in charge of their company's IT security business were conscious that they needed to do a better job communicating back to the business in their own language. Of the few that reported they already did this, they were clear that this approach meant they were able to build more strategic relations and gain additional budget.
Most organisations understand risk, after all, they would not be where they are today if they had not taken the occasional risk to grow the business! However, in the age of austerity, managing or controlling risk becomes even more important. Taking calculated risks through better business intelligence is not just an approach reserved for the research, sales or marketing divisions; it can easily be applied to the IT department too.
Companies like Symantec do a great job providing an 'IT threat risk score' to external threats through our Global Intelligence Network. This is a great starting point, but it's only when organisations overlay this IT security risk information with their specific business environment and needs, that it becomes true ‘Risk Management'; What is be a high priority for one organisation may not be so for another.
I think we can all agree that our IT teams are capable of being busy 100% of the day and still miss out on completing all their tasks, so how do we make sure we have our teams focusing on actives that actually make a difference to their business? This is where Symantec come in – collecting and analysing external cyber threat intelligence is already done through our Global Intelligence Network.
This is a resource that all Symantec customers can benefit from, combine this with an internal GRC (Governance Risk and Compliance) framework and we not only understand how we measure up against regulations or best-practice guidelines internally, but we now have context around the external threat landscape too. When we apply a business abstraction layer, we can have a much clearer view of which issues are impacting the business the most. We can also use this methodology to show the business which projects will make the most difference to enabling innovation and growth too.
As a security practitioner, you should be looking at ways you can help your team to prioritise their efforts and work more effectively, using this new approach to demonstrate to the business as a whole the value that the IT team bring.
At Vision Europe the Information Security & Risk Management team are holding a series of workshops around this theme.
For security executives who are interested to learn how Symantec’s new dashboard can provide oversight of your IT security program and enable you to clearly communicate security status in business terms, come along to the 'Security Insights at Your Fingertips: Symantec Protection Center Mobile Overview' workshop (Tuesday 13th November 2.45pm – reference ‘IS B26’).
For those of you that are interested to hear how CISO’s are using a risk-based approach to managing their teams and the benefits this brings, come along to our CISO Panel session ‘Balancing Business Agility and IT Risk in Today’s Evolving IT Environments’ (Wednesday 14th November 3.45pm – reference ‘IS B15’).