Security is still seen very much as a cost centre or necessary evil that is a ‘cost of doing business’. This, along with a historical challenge around gaining traction at board level has driven the slow move of security to being a key part of most businesses.
This is true even in the industries where security is now seen as critical, and where the board has time and an appreciation for it. In these industries such as financial services, gambling, big pharma and even gaming, getting funding, resourcing and executive support for security programs is less of a challenge. However even with this support, the view is still one of security being a cost of doing business.
In order to progress further and make security genuinely a key part of the business, we need to move the conversation on again.
Over the last few years CISOs and security teams have worked diligently to understand their business and speak in the language of their business peers. This has been a key factor in gaining board support for security.
The next step is to move this further, and work out how security can become a key pat of the business offering for your organisation.
This should likely begin in terms of how you differentiate yourself in the market. Start thinking along the lines of;
- How is your companies security different or better than others in the market?
- How do you ensure your customers data is kept secure?
- What reassurance can you offer your customers?
- If your business involves medium to longer term partnerships can you become your customers ‘trusted partner’?
- Do you have an impeccable record e.g. never been breached, never lost customer data etc.?
The aim here is to think about ways you can make your strong security a part of how your organisation sells itself. Security needs to become a part of ‘who the organisation is’. By doing this you’ll move security to the ‘next level’ in the business where is isn’t just a boardroom topic because it has to be, but it is a boardroom topic as a key part of what you do.
By making security a key differentiator for your business, you’ll also make security much more part of the conversation across the business as it becomes part of how your organisation sells itself.
Now for the really big bet! Can we move security even further, to not just be a differentiator, but to become something you actually sell?
Whether this is possible or not will depend on your industry, company size, customer base etc. However if it is possible, think of how powerful this could be!
Imagine not only the benefit to the standing of the security team if you are able to actually sell services and solutions to your customers, but also the benefit to the actual security / risk posture of your organisation!
Have a think;
- Do you hold large volumes of data on your customers, or their customers? Could this be used to provide valuable security analytics such as fraud or unusual behaviours? Could it even be used to provide predictive analytics?
- Do you run enterprise scale services that you could provide at a relatively low incremental cost to your customers such as encryption, tokenisation, authentication, …?
- Could you support your customers in achieving compliance with whatever regulatory environment you work in?
- Is it possible to securely host your customers services in your own DCs? This has the added benefit on ensuring communications from the customers systems to yours are secure.
- Can you provide them other capabilities such as monitoring, vulnerability scanning / management, secure coding guidance …
- Insert your ideas here!
Seriously, if you work in security, and especially if you have a leadership role think about this. It’s time for a step change to really make security front and centre of your organisation. Lets stop being one of the ‘costs of doing business’ and become a core part of what our organisation does!