Security in organisations is no longer what it was ten or even two years ago. And that’s because information security has never been as relevant to organisational growth as it is today. Security teams have larger budgets, more opportunities, and greater visibility at the board and executive levels. With these changes come more responsibility and scrutiny. How do you operate in this new reality as an IT leader?
This article covers:
Why it’s time to rethink security
Technology and the dependence on technology have had a transformative effect on our society. We’re increasingly globally connected, which opens doors to both benefits and harm.
Information is the new hot commodity
Without geographic limitations, cybercriminals can take full advantage of that connectivity. Crimes can be committed anonymously worldwide with little risk of getting caught.
This advantage has created a market demand for raw information, which is then used to generate intelligence. As a result, information and intelligence have become highly profitable commodities.
As an example, Shawn Henry, previously FBI's executive assistant director, stated in an article published in The New Yorker: "When I started in my career, in the late 80s, if there was a bank robbery, the pool of suspects was limited to the people who were in the vicinity at the time. Now, when a bank is robbed, the pool of suspects is limited to the number of people worldwide with access to a $500 laptop and internet connection. Today, that number is 2.5 billion people. Instead of stealing just one person's credit card, you can steal from millions of people at the same time.”
Data breaches have become common
Reports of data breaches keep popping up in the media daily, involving everything from Personally Identifiable Information (PII) to sensitive government documents to credit card data. Security breaches are on the rise, and new cybersecurity challenges are emerging as fast as experts can combat them. All this reshapes how we think of security, especially information security.
Security now goes beyond IT
Information security used to be a technical domain within IT departments. It focused on technical work and projects. That’s the “Old School” world of IT security.
Technical expertise is still needed today, but modern cybersecurity demands a business-focused security strategy. This "New School" approach requires going beyond IT—security leaders and managers must understand risk management and various regulatory, compliance, legal, and privacy drivers.
The robustness of your organisation’s security now depends on business savvy. You need to relate, communicate, and build relationships across your organisation. Successful security requires identifying security threats and capabilities and a deep understanding of the business environment and organisational goals. This goes far beyond just getting certified and being compliant.
Related: Compliance isn’t security: Why organisations should go beyond certifications
For security teams to succeed, they must work effectively across the entire organisation. This includes all business functions to support necessary business processes and new technology areas such as the cloud, mobile, Bring Your Own Device (BYOD), and any other new initiatives.
Security and business goals must be aligned
There is often a disconnect between security and business leaders, making it challenging to identify which security projects are important to your organisation.
Your organisation faces many risks while doing business, and security is just one of the risks that need to be addressed. By balancing security needs with those of other business investments, security can be seen as a business partner, not just a cost of doing business.
Security is just one type of risk that needs to be addressed
Security is one of several risks your organisation must manage. The best results are achieved by balancing security efforts with financial, operational, and reputational risks. And any risk-based decisions must be agreed to by business leaders. Here are a couple of questions for you to answer: How much potential loss is acceptable? What do business leaders believe is an adequate level of risk to carry?
Security budgets need to be balanced with other business investments
Security budgets should support business growth. A tech startup, for instance, might prioritise securing its intellectual property over other areas, understanding that protecting innovation is a priority to preserve a competitive edge.
Strategic planning as a number one priority
One thing is certain: It's not a matter of "if" an information system will be compromised. It's more about "when" and "how much" information will be lost once it does occur. How can we manage risk to an acceptable level? Effective strategic planning is required to address evolving threats, align security with key business initiatives and stakeholders, and ultimately design the most advantageous approach to combat cyber attacks.
Strategic planning is where it starts. Security must be implemented into the broader business strategy. A healthcare organisation, for example, must integrate stringent data security measures as part of its compliance with health regulations, aligning these efforts with its mission to provide safe patient care.
How do you make security a part of your business strategy?
It begins with strategic planning, with both security and executive leaders involved. Building a robust Information Security Management System (ISMS) also heavily contributes to making security a part of your organisation’s business strategy. That’s because an ISMS gives a good overview of your assets, risks, and measures to tackle them. This, in return, helps align security with business goals.
Build a robust ISMS
A robust, modern ISMS ensures your security measures match your strategic vision. For example, a multinational company can use an ISMS to unify security protocols across regions, maintaining consistent protection while supporting global operations.
As an IT leader or CISO, you probably already have an ISMS in place; the trick now is to figure out whether it is set up in a way that makes sense to your organisation’s business model:
- Does it consider your organisational context?
- Do you have a good overview of your most valuable assets and related risks?
- Are you prepared to get and maintain certifications like ISO 27001 or TISAX®?
- Is your ISMS built on a reliable platform?
- Do you have enough expert support to guide you through the complexities of information security, risk management and compliance?
Identify your critical assets
Let’s say you’re a logistics company. A critical asset for your business would be the delivery scheduling system, which ensures timely and efficient transportation of goods to customers. The system itself, the customer data (addresses, contact information) and communication channels (emails, phone systems) all define a critical function for your organisation.
Related: Best cyber security measures: Focus on what could shut you down first
Your biggest risks would then be associated with this system, as its corruption could lead to millions of dollars in losses and negatively affect customer satisfaction and your company's reputation.
Use the NIST Cybersecurity Framework (CSF)
Consider NIST Cybersecurity Framework 2.0, a toolbox with guidelines and best practices organisations can use to strengthen their cyber security and resilience. It's designed to be flexible and adaptable to different types of organisations and their unique cybersecurity needs.
In its essence, NIST CSF 2.0 describes a cycle through which effective information security management is carried out: govern, identify, protect, detect, respond and recover.
Governance is about defining your core business processes, understanding acceptable risks, and knowing who is responsible for what. Identification means figuring out which assets support these processes and assessing relevant risks.
Next, protection ensures these assets are safeguarded. Detection involves monitoring for malicious activities. Response involves taking action to address any threats that are detected. Lastly, recovery focuses on getting things back to normal after an incident.
Start building your ISMS for security and compliance
You may have an elaborate spreadsheet to cover all your assets and risks, which might work for you. Things can get a little more complicated, though, as your organisation grows, expands to new markets and starts working with new vendors. New risks threaten your critical systems and data. A one-stop shop to build your ISMS for ultimate security and compliance (be that GDPR, ISO 27001 or TISAX®) could help solve most of these new headaches, especially if you can get expert support. Reach out to us if you would like to know more:
*TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide Software-as-a-Service and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.
Frequently Asked Questions
What are examples of security procedures?
Examples of security procedures include access control measures, such as password policies and biometric authentication, and physical security protocols, like surveillance and secure entry systems. Other procedures include data encryption, regular software updates, and backup processes to protect against data loss. Incident response procedures, which outline steps to take during a security breach, and employee training programs to educate staff about security best practices, are also critical components.
What is organisational security procedure?
Organisational security procedure refers to the standardised processes and guidelines that an organisation follows to protect its assets and information. These procedures outline the steps to be taken to prevent, detect, and respond to security incidents. They encompass a range of activities, including access controls, incident response protocols, data protection measures, and regular audits. The aim is to create a systematic approach to security that ensures consistency, compliance, and the effective management of security risks across the organisation.
How do you ensure organisational security?
Ensuring organisational security involves a comprehensive approach that includes implementing robust cybersecurity measures, conducting regular security audits, and training employees on security best practices. It requires the deployment of firewalls, encryption, and intrusion detection systems, as well as the establishment of clear policies and procedures to manage and respond to security incidents. Regularly updating software, conducting vulnerability assessments, and fostering a security-aware culture among employees are also critical components.
What is the purpose of organisational security?
The purpose of organisational security is to protect the organisation's assets, including physical and digital resources, from threats such as cyberattacks, data breaches, theft, and natural disasters. Effective security measures ensure the confidentiality, integrity, and availability of sensitive information, safeguarding the organisation’s operations, reputation, and legal compliance. By mitigating risks, organisational security helps maintain business continuity and trust among stakeholders.
How do you develop a security plan for an organisation?
Developing a security plan for an organisation involves assessing potential risks and vulnerabilities, defining security objectives, and establishing policies and procedures to address identified threats. This process includes conducting a thorough risk assessment, setting clear security goals, and creating an incident response plan. It also involves assigning responsibilities, implementing technical controls, and providing regular training for employees. Continuous monitoring and updating of the security plan are essential to adapt to evolving threats and ensure its effectiveness.