Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Roland Cloutier
Roland Cloutier

Setting Up Security as a Business: 3 Best Practices for Security Execs

Security leaders need to show they provide more than stop-the-bad guys services. Here's how.

At the beginning of March 2017, a third-party platform launched that promises to be a bidirectional clearinghouse to improve the security industry's approach to third-party risk management. Called CyberGRX, the company says it will dramatically alleviate what is now a manual, spreadsheet-driven process of vendors being inefficiently assessed by customers. It will allow security teams for both companies and customers to focus on protecting their respective businesses.

The existence of CyberGRX and other new services signals a movement in the security community. It's a clear confirmation that security is now a fundamental business issue and a potential growth advantage — and that security executives must take the lead in convening the business and having discussions about how security becomes a strategic lever.

[Check out Roland Cloutier's session, Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage, at Interop ITX on May 17.]

And more often, security execs have the floor. The massive amount of cyberattacks, exploits, and cybercrime have made it clear that every company will be affected by a security issue. Security officers no longer have to waste time legitimizing security as a business risk; they should be the lead executives who provide the insightful information and details on business impact that business leaders need to make sound decisions.

This is the moment that security professionals must change the view of security from a defensive "stop the bad guys" function to a strategic lever that is critical to sustain and drive the business. This "Business Operations Protection" mentality has been simmering for a long time within the security community, and there are three things its leaders must do make sure this mindset is accepted by the C-suite and board of directors. 

1. Know the state of security.
Security leaders are being heard, but how did we get here? In other words, what resonated with your C-suite and board in the first place to give you a seat at the table? There are three main trends:

  • More volume and velocity of cyber incidents. In 2016, more than 4.2 billion records were breached in 4,149 separate incidents globally. What are the trends in your industry and against your business, and how are you proactively defending your organization from these threats?
  • More dramatic and objective business impact. In recent years, security attacks have been measured against things that align with business impact: consumer confidence, business reputation, and rising costs are a few popular metrics. For example, in 2015, British insurance company Lloyd's of London estimated that cyberattacks cost businesses as much as $400 billion a year, including direct costs plus residual post-attack business effects. In what way can probable events affect your business, your clients, or your go-to-market objectives?
  • Greater accountability to be secure and report as such. Other companies in your ecosystem — such as suppliers, distributors, customers, competitors, government agencies and so on — are also more aware of the risks of cyber incidents than they used to be, so we're seeing more reporting and compliance-like regulatory measures appear. Not complying comes with its own potential costs and penalties. Examples include General Data Protection Regulation in Europe, or New York State Department of Financial Services regulations, and all include implications for the theft of personally identifiable information, payment data, and personal health information, as well as the costs of credit monitoring and notifying customers.

2. Language to talk to business leadership.
Security leaders are great at understanding the business at a technical level, as well as bad guys and residual risk measurements. On the other hand, they're often not as well-versed in how to talk about the security function's goals in a way that resonates with business. By merging performance indicators with the impact that security has on them, defining clear alignment to the company's strategic imperatives, and creating a road map for security, risk, and privacy efforts that accelerate the success of company goals, business leadership will be able to listen, understand, and support the security team's mission.

To accomplish this, you should be armed to discuss:  

  • Strong metrics around how breaches affect the business. For example, figures around cost per incident and the impact on your company's profitability, or the number of incidents caused by employees, technology, or external influences, and the resulting hours of downtime to enterprise systems.
  • The less-quantifiable effects resulting from security attacks. For example, the reputational impact on your company, client wins, and losses, due to security features, or client satisfaction and promoter scores after an incident. 
  • How security services, projects, and programs provide foundational capabilities that are necessary to deliver or accelerate strategic corporate imperatives.

3. Become an expert in the business.
In talking security, what can get lost is what it's all for. In other words, security leaders must know end-to-end how their business designs, builds, delivers, and supports the products or services it takes to market.

Some of the key questions to ask:

  • How do we make money? What is our profitability model? Is it on repetitive business? Is it on net new clients? 
  • What does the network of organizations impacting my business look like? Who does business on my behalf? What type of information and technology are exchanged? What supplies my organization so that it can deliver services?
  • What is my intellectual property and why does it matter to my business?

To drive security as a business, at ADP we have a process called value chain risk assessment. We look at our business model and map out the value chain. Because we have multiple businesses within the larger ADP, we have a team called business security officers, whose mission is to understand how our business is designed and delivered so that we're constructing our security services in a way that serves and supports what we do.

It's almost too obvious to say, but security is a fundamental driver of business and competition. The businesses that win will be those with security leaders who know how to leverage it. 

Related Content:

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world's largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs. Roland has functional and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/11/2017 | 1:44:52 AM
It is so nice
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue