SECURITY STRATEGY – CREATING VALUE

Posted on by Henrik Parkkinen


If you do not know what value means for your organization from a business perspective, how will you be able to create it from a security perspective?

Question:
What does creating value mean for your organization from a security perspective?

[I encourage you to contemplate this question for a couple of minutes before continuing to read this article.]

“This is the most important asset in our business organization!!!”
“What do you base that on?”
“[…<silence>…]”

At this point, if you have read my other articles about security strategy, you are familiar with that: security within an organization is a supporting function.

Security exists to contribute to making an organization successful. Security exists to support the execution of the business objectives, mission, and vision. Security shall support the business to “create value”. Security does not exist for its own self-fulfillment.

The value of security within an organization may mean different things depending on who you are speaking with. And this statement will most certainly also be true between organizations. It will also be true if you ask the question to an executive leader who may have one perspective of what it means compared to a software developer or your external customers. But, all these persons/roles/entities are a part of your organization that you are there to support, i.e. create value for.

To understand your organization you need to communicate with your stakeholders in a a way so that both of you understand each other. Without this form of mutual understanding, the value creation becomes close to impossible.

The power of listening and asking questions, to learn and understand is one of the most powerful tools you as a security leader hold. Sharpen this tool, and you will instantaneously grow as a security leader and your organization will directly gain value from your services and support. Take a look at this article if you want to read more about my thoughts on the subject, SPEAKING SECURITY. THE LANGUAGE & COMMUNICATION.

CREATING VALUE

How does security create value you may ask? And how do we measure the “value” that security is creating? These are two very interesting questions less often spoken about among and by security leaders and experts. Maybe because they tend to be a bit philosophical and the general population within the security field is derived from a technological and/or engineering background(?). And do not get me wrong here, this statement does not go in as a rant from my side, it is just an observation in which I do not place any negative feelings or preferences. Security people usually have and come from a career focused on technology and less on business management. This was the case for me as well, and I am forever thankful for it. But more about this in another article.

The purpose of this article and those others in my strategy series is to awaken and shine some light on these questions. I want to help you, to start to think and ask those questions to find out the answers together with your organization and stakeholders around security. More about that business management mindset from a security point of view.

The word “value”, when it comes to the security domain, is here and there translated to something like:

  • Increased risk and security awareness.
  • Improved capabilities to detect security threats and attacks.
  • Improved capabilities to forecast and manage emerging risks.
  • Strengthened protective security controls for managing third-party risk.
  • Enhanced capabilities to respond to security events and incidents.

But is this actually “value”? Is this what is determined as creating value from security for an organization? The boring answer: It depends.

For some organizations it is. For others, it isn’t. And, I am of the belief that the value of security can not and shall not always be the same generic answer or something that is needed to be measured in quantifiable terms. It is not always about chasing dollz –> monetary profits, cost saving, cost reduction –> capitalizing on those Bejamins. But I think that some form of measurement will though be beneficial to use for communicating the value of security.

Measuring security is something that I have seen to be a strange thing here and there, i.e. metrics and measurements are used that are less relevant for the organization’s success. And I think if security is to be measured, those metrics and K[x]Is need to be well thought through.

Value creation from security is subjective for each organization
The “value” of a security strategy is, to some extent, subjective for each organization. Your mission, as a security leader, when creating a security strategy is to understand what “value” means for your organization from a security point of view.

There are many good methods and ways to form, structure, measure, extrapolate, simulate, prognosticate, and forecast security. Monte Carlo simulations for example is one of them but not the one and only. A standard or framework, like for example ISO 27000, NIST CSF, COBIT, ITIL are other forms that can be helpful. But, I think that these things should rather be used for inspiration rather than as the “solution”. A security strategy needs to be created and crafted towards the uniqueness of your organization and not the other way around.

Putting too much focus on for example quantifying security into dollz can lead to something similar to this (which is an experience I have witnessed in real life):

“The cost of a security incident is determined to cost us <insert$dollz>! We are investing <insert$dollz_invested>!!! The investment in relation to the return on our security controls in combo with the likelihood that we get attacked are not in proportion to each other! And, we have never been attacked before! <insert angry face emoji>”

I get it, and I think that situations like these need to be aired out. Here and there security is only seen as a cost center. Something that is costing money and slowing an organization down. This should though not be how security is perceived.

I think that a valid question to ask, in situations like these when statements similar to above are verbalized, is for example: “Why are we trying to monetary quantify everything that is security related?”. I would not be surprised if this question might give you some answers you were not contemplating or prepared for.

What I have learned is, that some of these persons who always jump into the dollz-discussion might come from a background of studying financials and economics. Or he or she may like to speak about investments in pure monetary figures, independent of whether it is security related or not(?). The person may not understand the application of security or how it relates to value creation?

I mean, if this is the case it is up to you who are there in front of this person and the expert on the subject of security to explain how things work. You, as a security leader, need to lead the conversation by first listening and then explaining to your audience how security adds value to your organization and stakeholders.

What about asking the person in front of you: “What value do you expect from security in your day-to-day job role?”. I strongly encourage you to dig into this question with your stakeholders and business leaders, within all levels of your organization, to better understand what value creation of security means for them.

This is not about going on a hike where you are after to find people who have wrong opinions or perspectives. This is about going on a journey together with your stakeholders in your organization and encouraging them to speak in their own language. Let them explain to you what and when it comes to security that they need and expect. This hike is about finding out what is hidden in that treasure chest at the end of the map. And you, as a security leader, shall do this hike together with your stakeholders. Take them with you on the adventure.

If you, as a security leader, want to provide value to your organization, you need to learn and understand what value means for them you support. It might come down to that certain technological controls might be necessary to invest in. Still, it is highly unlikely that your business stakeholders will say “Install the latest appliance from vendor XYZ and […]”. If the discussions should take this route, I strongly encourage you two to take a couple of steps back together and sit down and investigate the business requirements before another blinking box or security portal is implemented.

Technology is one way how to realize value from security but this is not the only way. Risk management is another, but this is also not the one and only realizer of value from security or what a security strategy shall be developed around. Security is not purely about technology or risk management. But both these things are parts of the ingredients that an organization, in one way or another, most likely will and should include in its security strategy.

EPILOGUE

The value of security, and what it is mainly about, can be summarized down to three things. I do not in any case say that security is only equivalent to these three things though. But, as I like to simplify stuff as it makes things easier to grasp and put into a practical understanding I will do so once again.

The value of security can be abstracted and condensed into the following three things:

  • Supporting the organization
  • Providing protection & resilience
  • Continuous improvement

Now, ask yourself how you as a security leader together with your security team fulfill these three things in your organization. When you have the answer to this question, ask yourself how you communicate the answer to your stakeholders in your organization.

Do they know how you support them? Do they know how you provide adequate protection and resilience? And do you and your team, together with your stakeholders in the organization, work to continuously improve your security posture and cyber resilience?

The value you, as a security leader, create for your stakeholders together with your team might not be as obvious for them as it is for you. But it should be. And, it is up to you as a security leader and expert in the subject, to make sure your stakeholders and organization understand the value you create.

The way how to accomplish this task in the most powerful way is through mastering the skills of communicating and speaking about security. You need to be able to influence those in your organization that needs to be influenced. You are there to help the decision-makers in your organization realize the value creation from security that will contribute to your organization’s overall success.

If you cannot communicate the value of security and how that cool security strategy is going to realize value for your organization, the likelihood of a reduced value realization will increase drastically. And I think this is one of the most, if not the most, important skills a security leader needs to master. Communication.

You need to be able to communicate the value security provides to your organization. A model or digital instrument will not do the job. That model, method, instrument, etcetera might be one way to visualize, calculate, abstract, and <insert here> the message around the value from security. But these things do not, by themselves, influence a decision-maker or a business stakeholder. This part is up to you.


What does value mean for your organization from a security perspective?



[Give yourself a couple of minutes to contemplate about this question again, now when you have read the article.]

Henrik Parkkinen