We often think of security in terms of technology and compliance, either because that’s where our interest lies or because we’re mandated to do it. It’s easy to be lulled into a sense that we’re accomplishing our objectives, or to become cynical because leadership cares more about meeting regulations and compliance requirements than it does about meeting real needs.
When we focus in those areas it leads us into keeping our heads in the weeds. It increases failure rate, causes the focus is in the wrong area, and puts pressure on less important areas and away from business level innovation.
One of the best ways security leadership can drive innovative security ideas and action is through the reporting structure. Many companies have security rolling up through IT, Risk and even Legal and Finance. The trouble with reporting through any of those groups is innovation is at best siloed and at worse nonexistent. If innovation is to succeed security needs to report directly to the CEO or at least the COO. Ingenuity and the view of security would change, innovation would occur and companies would find ways of turning security into a profit center. I’ve long thought and struggled with the idea of security as a profit center. I’ll continue to believe it can be done and in any organization until proven otherwise.
If security could switch from directly reporting to one of those groups and instead act as an overlay, innovation and profitability would change. For example, marketing and sales could work directly with security to develop products that are more secure and designed around industry best practices or certifications that allow them a competitive advantage. This isn’t just an example, it’s real. We’ve had a VoIP company come to us to discuss how aligning their systems more toward HIPAA may increase their advantage and subsequent profitability. Another company came to us because a competitor had used security as a differentiator against them, on multiple occasions, and they were losing longstanding clients.
Another positive change from innovating with security would be increased activity among groups vying for time from the security group to help them drive profitability, revenue or cost savings. When this happens security budgets will increase based on needs and will allow each group to be incentivized for innovative security measures. This will put the greatest focus on those groups that have the largest impact on revenue and profitability.
Redefining security through innovation will cause several other things to happen, which ultimately will lead security into being a profit center. There should be a reduction in redundancy; no longer would multiple groups be working to create the same results--groups and divisions would increase their internal collaboration. The state of security or pulse on company security will allow us to see and experience trends, which leads to even more innovation.
We need to lead companies through treacherous times of breaches, exploits and firefighting and start to look at ways to “sit at the table” with the CEO and impact at the highest level.