A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place. Each organization is different – the risks and the needs to mitigate. A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances. Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc … Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.
The mistake is achieving compliance to compliance requirements alone. There is a gap in the business’ OWN needs. Over the past year I have spoken on this topic publicly at conferences and my book has a huge focus on aligning and establishing business requirements cohesively.
To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years. These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc… In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties. Not to be the basis of the enterprise program, but a singular consideration.
The capability of the organization to address market competitive requirements is based upon the proper balance. Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities. 15% of the program to meeting these ‘license to operate’.
The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation. There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.