For years we’ve encouraged our security and risk leaders to prepare for disruption. We tell clients that regardless of what the catalyst was — a ransomware attack that takes down the business, an economic downturn — the time to plan for it was now. We did not anticipate that event being a global pandemic.
Security has been caught unprepared in the past — by digital business, cloud and the convergence of OT/IT — and we can learn lessons and leverage them moving forward, but we’re still charting unknown territory.
Security and risk leaders need to live in the new normal, but the questions they should be asking aren’t new. How do we protect the organization and facilitate business in this environment? How do we continue to operate in lockstep with executives? How do we do these things with less budget?
Secure the business.
The pandemic shifted consumer patterns, and with that, entire business models. For example, ordering groceries online or seeing a doctor via telehealth options were both options before, but COVID-19 increased their popularity substantially with no real clarity on whether we will ever return to pre-COVID formats. For many companies, nonexistent or limited use work-from-home technologies had to be launched — and secured — quickly. Now, security and risk management (SRM) needs to be thinking about what happens if those changes are permanent.
And beyond the changes, what areas will need extra attention? For example, organizations may begin to collect employee information that relates directly to the COVID-19 pandemic during the return-to-work phase. Deciding what data to collect and how to store it brings new challenges.
Prove the business case.
Historically, SRM leaders have not been able to communicate how security aligns with general business goals and how it benefits the business. But it is vital. By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business. It’s critical that SRM leaders supply board-relevant and business-aligned content that is not hampered by overly technical references. Link (implicitly or explicitly) security and risk to business elements that the board members value.
Mind the budget.
SRM teams now have the added complexity of cost optimization and budget restrictions. SRM leaders are often not effective at connecting the dots between what they’re doing and how it aligns with the overall business goals. As a result, when organizations are looking to cut costs, SRM leaders are often not in a good position to defend their programs and justify expenses. But it’s vital that they do so, while acknowledging areas where expenses can be reduced via automation, machine learning and service providers.
Make sure to always ask yourself: If we’re forced to spend less, how do we make sure our businesses are still adequately protected? How do we make sure we’re still managing the risk appetite of the organization? How do we facilitate growth with less investment? Be prepared to defend your budget.
In the new normal, many organizations are struggling to stay alive, and we are seeing organizations roll with the disruption and grow and thrive — to see this as an opportunity to accelerate plans to be digital organizations. In either case, the risk landscape may never be the same. What’s your plan?