In September 2006, I wrote a dissertation on changing the value perception of security within the enterprise. Whilst you would hope that that the challenges I discovered would be resolved organically in the almost 18 years since published, many of the challenges remain.
The learning from this dissertation led me in my career since, and has guided my path.
The abstract, written in September 2006 stated that
Research throughout this document provides a view of organisations placing great important on compliance, without attempting to understand the risks they face. These risks have been shown to be increasingly focussed on the internal sociological weakness within organisations, whilst the response from organisations focuses on technological controls. This has been shown to provide a perception of security as a technical overhead rather than an organisational investment. In addition, measurement of security within organisations tends to focus on the performance of technology rather than the protection against threats, and research shows that there is a lack of confidence in the ability to provide protection against internal threats.
The intention of this document was to show that the value and performance, as described above, of security functions can be exhibited to the enterprise through the utilisation of the Benefits Management2 and SABSA®3 methodologies amongst others. It is felt that utilisation of these techniques has sufficiently proven that value in non-financial terms can be shown and that the benefits of a well-structured security function are of great value to the future prosperity of business functions within the enterprise.
A report from Deloitte Touche Tohmatsu, published in 2005, illustrating the findings of its survey into the state of IT Security within the global financial services industry stated that “Although the majority of respondents [Of the survey] are still doing poorly at measuring performance – if they are attempting it at all – the ones that do measure performance appear to be focusing more on cost and returns as opposed to the value the security provides to organizations. Evaluating security projects in terms of the value and impact delivered to the business and identifying a language that both security and IT people can talk, will not only help the security function achieve greater recognition but will also result in projects that will become more aligned with the needs of the business.” This statement alludes to the fact that the value that security can provide to an organization is not being accurately illustrated and that measurement of the performance of the security function is not being conducted.
If the above statements are correct, then there is very real issue with regards to the ability of security functions to illustrate value.
Reading through last year’s Cyber security breaches survey 2023 (https://lnkd.in/emEewwQf) I’m struck by the abject failure of the past 7 years of cyber according the output. Certainly, the issues I found in my research still remain after 18 years.
Whilst 14% of organisations have heard of the basics for cyber (10 steps guidance) – up 1% since 2017, only 2% have benchmarked themselves against it (we’re not even talking about getting Cyber Essentials here).
This is despite 49% of organisations looking at external guidance, which is resulting in:
– 29% of organisations writing a security policy
– 29% of organisations undertaking risk management
– 26% of organisations undertaking asset management
– 31% of organisations undertaking vulnerability management
– 37% of organisations undertaking identity management
When you consider that 71% of organisations rate cyber as important, the above is damning indictment of our industry to communicate the outcomes for organisations to be met.
My dissertation has strategies on how security professionals can improve engagement and show value to their organisations.
- Improving perception through the illustration of benefits
- Improving understanding through alternative learning techniques and risk assessment
- Improving the performance of security by creating security architecture
- Measurement of performance
If you’d like to know more, then please do download my dissertation