Is it ever possible for security to be more than just an insurance policy? Every so often a security firm will have a go at trying to change perceptions – to convince its C-level target market that security can actually be more than just a cost-centre.
For security to actually be an enabler – and for the argument to stack up at executive level, the following must be true:
“The security programme will enable our organisation to capture more value from its business model.”
For a commercial organisation that simply means to make more money, one way or another. Until recently, such attempts to brand security as an enabler have been rather clumsy and fail this test, focusing on streamlining security, or baking it into IT at an early stage of the lifecycle to reduce cost and complexity. The problem is, this still just an insurance policy – a better delivered one, sure, but not something that’s going to grab the attention of a CEO.
Now in 2018, have the underlying fundamentals of business changed enough for security to actually enable growth and success? By looking at the relationship between security and sales, productivity, C-level decision making, IT and marketing it’s clear that security has a much bigger part to play.
1) Strong security will enable you to win customers and retain customer loyalty
Across several B2B and B2C sectors, from finance to pharma, recruitment to retail, having a trusted and provable security posture is an essential requirement for new customers to do business with you. This has often been posited, but was recently proved in a survey by Vodafone where 90% of businesses said strong cyber security would help their reputation in the market, attract new customers, and improve customer loyalty.
Put simply, better security leads to stronger sales and greater customer retention.
2) A detection and response programme will allow restrictive preventative controls to be relaxed, increasing productivity and reducing shadow IT
This is a perennial problem for the infosec industry, and particularly CISOs. Their businesses employ smart people who are capable of rapid innovation, but are held back by restrictive checks and balances from the security team. “Sure, you can give that software a trial – but we’ll have to audit it first.” Or, “collaboration is great idea – but can you wait until we’ve tested the platform before you go ahead?”
With the vast majority of security budgets being historically allocated to preventative controls, it’s no wonder that this has led to a shadow-IT culture where smart, innovative employees simply bypass corporate systems and do it themselves. Which of course actually increases the security risk.
Given the issues with the effectiveness of preventative controls – and that attackers can usually find a way around them, Gartner forecast a 60% shift in budget from ‘prevention’, to ‘detection and response’. This is a golden opportunity for security to actually relax its restrictive posture and support the business in flexibility and innovation – confident that if there is a breach, it will be detected and mitigated before it results in any impact. Better detection and response, greater business productivity.
3) Strong security will give confidence to the business in support of expansion into new territories or markets
Arguably this is just a way of spinning security-as-an-insurance policy… but is it?
When firms are looking to capitalize on first-mover advantage, or launch a new product or enter a new territory, rapid and confident decision-making from the senior leadership team can make or break such a play. Having a security posture that will enable the firm to withstand new – and possibly more capable – threat-actor interest, moves ‘security’ from ‘weakness and threat’ to ‘strength and opportunity’ during the board-level SWOT analysis, and will enable the firm to de-risk some of its more progressive decisions.
What does this mean in practice? That a business underpinned by a mature security posture will to be able to outmanoeuvre its competition. That’s some insurance policy.
4) Modern security is reliant on vast quantities of data – which can optimise the wider business
Security used to be about applying policies, signatures and controls – but effective security, particularly in the world of attack detection, is now reliant on complete visibility of everything that happens on an IT estate in order to detect the unknown unknowns, targeted attacks, and malicious activity using legitimate IT functionality.
In fact, security teams sometimes have a better view of IT than the IT team. This insight can be used for network optimisation by tuning the performance of existing assets, but also by detecting the use of shadow-IT in a way that central IT cannot. This means that its security that can actually give the business an advance view of what its mid-to-long term future IT requirements might look like based on its shadow-IT usage, which is normally as a result of innovative staff doing innovative things.
5) A well-handled security breach can actually boost brand equity
It’s always assumed that a security breach will result in negative publicity, loss of confidence and then customer churn or difficulties in acquiring new business.
But does this always have to be the case? What if a well-handled security breach could actually reflect well on a business? Examples where this has happened are still thin on the ground (hint; run your incident response playbooks, then run them again) – but it is worth considering the aftermath of the incident at Cloudflare. This was a business subject to a significant breach which could have holed it below the water line if handled badly. However, because the breach communicated to customers and the public with full transparency – along with published mitigation plans and rapid action – instead of being subject to long-term damage, Cloudflare was able to add the values of honesty, adaptability and ‘doing difficult things well’ to its brand equity.
Security will never be 100%, and these examples show that society is starting to accept this fact – even responding positively to a breach provided it is handled in the right way.
What does all this mean – can we view security as a profit centre?
Perhaps not quite yet – but it is clear that times have changed significantly. As an industry and as a function, security should start thinking about being a lot more creative in how it communicates its value to the rest of the business. The five points above show genuine positive return by enabling the business to be better at what it does, innovate faster, and even give it the edge in a competitive market.
Now that’s something for the CEO to get excited about.