Most businesses manage complex interacting variables - multidimensional production inputs, outputs and relationships - in order to create stakeholder values. These complex variables in turn have associated multi-dimensionally complex risk attributes that must be managed in order to minimise the leakage and erosion of value from the business. There could be no reward without the effective management of those risk attributes; businesses can only generate profit and stakeholder value through effective management of risks. A sub optimal risk management strategy will almost always lead to losses – and usually with financial impacts.
At the core of an Enterprise Risks landscape is “Information Management Risks (“IMR”)” and at the core of Information Management Risks is “Information Technology Risks (“ITR”)”. Therefore, an effective management of both “IMR” and “ITR” are quintessential to effective Enterprise Risks Management (“ERM”).
Information Security Programmes (“ISP”) are both business enabling objectives and control objectives for managing both IMRs and ITRs. Hence, an effective Information Security management programme can help business optimise Enterprise Risks. Like every risk management strategy, there are cost implications to risk mitigation and since the golden objective of a business is the maximisation of profit (or created value), business must seek to strike the risk optimisation point. That is to invest just enough in managing IMRs and ITRs to ensure the viability of the entity and maximisation of stakeholder value.
An optimised Information Security programme can only be achieved if Information Security frameworks and architecture are aligned with business architecture. That is when all of information security activities within an organisation are governed, managed and operated in a way that supports and enables the delivery of the organisation strategic goals and objectives. This can only be achieved through the definition of business aligned security architecture.
The current security landscape across the globe, and New Zealand in particular, suggests that most corporate environments are not operating aligned security architectures which have resulted in too many preventable security incidents with consequential damages to the collateral (trust attributes) upon which the impacted organisations trade.
A cursory review of security landscape across the industry painted the grim picture below:
- Disconnection and misalignment between business direction and security operations
- A general lack of aligned security architectural view of the business
- Use of unduly complex technical security language was pervasive across the industry, especially when communicating with upper management. This led to lack of understanding of security by the business leadership group
- General business leadership disengagement and hands off from security activities
- The widespread presentation of security point solutions across business landscape, a knee-jack fire fighting strategy
- Security ownership was quite low in most organisations leading to lack of visibility of security outcomes and of the value of security to business leadership groups
- A sense of an increasing leadership resistance to invest in new security projects/solutions
Yes, grim indeed. But this need not be the case. The trend could be reversed if security organisations and businesses heed the late 19th century call from Joseph Malin in his poem “Fence or Ambulance”
Better guide well the young than reclaim them when old,
For the voice of true wisdom is calling:
“To rescue the fallen is good, but ’tis best
To prevent other people from falling.”
Better close up the source of temptation and crime
Than deliver from dungeon or galley;
Better put a strong fence round the top of the cliff.
Than an ambulance down in the valley!
It is strategically advantageous to build enabling security objectives into the fabric of an organisation than playing perpetual recovery. Most businesses worked very hard to build trust and goodwill. Destroying those through preventable security incidents may in fact lead to loss of business viability. An aligned security framework can help prevent this loss.
An appropriately aligned security framework will:
- Provide relevant architectural guidance to business strategies and thought leadership. This will embolden the business to leverage security capabilities to manage strategic risks and create competitive advantage in the industry and market
- Provide relevant and appropriate guidance and governance inputs into the definition, development and deployment of new business solutions, ensuring that the business environment remains safe, secure and maintains integrity through change
- Enable the identification and remediation of current risks and issues, thus enabling the business to operate within acceptable tolerance limits of its risk appetite
A business-aligned security architecture would help articulate the bigger picture – the essence of the business using a common set of language that both security and business leadership can understand. It is an architecture driven through business lens and perspective. A robust business-driven security architecture will, amongst many objectives, create a traceable link between every activity within the security management programme derivatives and the objectives of the business the architecture supports.
A business-aligned security architecture, or at least the objectives of it, are laid out in common business language and so are the associated key-metrics. These key-metrics are transformable, quite easily, into business metrics that are useful to business leadership. Hence, it is not any more difficult for business leaders to govern security than it is to govern financial risks management processes. Security management thus become visible to the boardroom. Therefore, business leaders are indeed able to utilise security as a strategic business toolset.
The new capability of utilising security as a strategic business tool enables businesses to create competitive value-creating opportunities and security could indeed become the competitive edge for the businesses that know how.