Information Security , a Growth Industry ?

There is hardly a day when information security is not occupying one of the top slots in the newswire. Each time there is a piece of bad news or a security outbreak, organizations are quick to announce initiatives related to information security, cybersecurity, hacking, malware, data loss prevention (DLP) , personal data, identity, and access management. Numerous organizations have been increasingly spending millions of dollars on such initiatives and still not getting any relief from cybercrimes and data breaches. Cybersecurity has become a high-growth industry with a predicted 9.8% yearly compound annual growth rate (CAGR) between 2015–2020.¹ The global spending on IT security was at $75.5B in 2015, expected to be $101B by 2018, and will likely reach $170B by 2020. A significant proportion of this spending is allocated to fraud and data breach detection with emphasis on Security Analytics , Threat Intelligence , Mobile Security , and Cloud Security .

The irony is that Cybersecurity has become an industry, a growth industry . As it produces goods (software, hardware) and related services within an economy, from technical benchmarks, it does meet the definition of an industry. Since the Industrial Revolution, industries have been created to improve the standard of living and to foster the growth of a country or a global region. The security industry is growing as it has become a mandatory expense to work and live in the connected and interdependent world. The Information and Internet have many positive outcomes, connecting people, processes, and organizations around the world; creating millions of jobs; and adding trillions of dollars in the global economies. Chief among the recent innovations include the Internet of Things , Digitization , Social Media , Mobile, and Big Data ; these are collectively transforming the organizational culture and lifestyle of the people. Personal identities to all owned assets at every level have either already been converted to digital forms, or are in the process of being converted to a digital form. The business processes are being digitized for better transparency and agility . As an individual or as an organization, a connected and transparent world is a blessing and a curse. How does a growing investment in information security help you effectively manage the potential vulnerabilities while being innovative in products and processes, connected and collaborative with customers and partners, and open to work from anywhere? Can you afford to continue to spend more money?

State of the Business

As per the world economic forum, cybersecurity is costing businesses $400B–$500B in damages per year. Much more damage is not reported due to lack of appropriate understanding and quantification of impact, compliance , or reporting regulations.

Understandably, board of directors or management officials do not want to see the name of their organization in the news about a security breach. What has surprised us is how these very people act in managing security protocols and how they react when things go wrong. Whenever a high-profile incident takes place, the board of directors seeks information from the management, particularly the CIO or head of IT, about potential exposure. In most cases, they simply don’t want to be surprised and need assurance that IT is taking all the necessary precautions to avoid unwanted publicity. During regular board meetings, security becomes just another line item limited to status updates regarding security initiatives and measures that IT has taken since the previous review.

We know that senior leadership and line managers have many agendas on their plates that preoccupy their time and attention – competing in the marketplace, monitoring business results, and driving improvements in their area of control. Business is frequently quite clear and direct in what business wants IT to do in terms of new capabilities or improvement in systems. When it comes to security, they tend to take a reactionary approach by leaving it up to the CIO and the IT team to figure out the strategy and technology solutions for managing threats, fraud, and breach detection. Even in case of compliance, for example, PCI or Sox, business tends to focus on them from a technical point of view, thus expecting IT to take care of the compliance requirements. The funding for security projects is generally sourced and approved generously due to fears of cybercrime or compliance exposure.

State of the Security Practices

The IT group is responsible for managing technology solutions used by the business. As many of the applications are purchased rather than developed in-house, the security focus has been on the infrastructure, for example, controlling devices, limiting access, monitoring traffic, detecting fraud and policy violations.

As information security management is delegated to the IT department, the security industry has been primarily focused on developing frameworks and solutions for managing information security by managing infrastructure security.

The wide range of security standards , guidelines, and controls are available from the National Institute of Standards and Technology (NIST) , Department of Energy and Department of Homeland Security (DHS) , International Organization for Standardization (ISO) , and Center for Internet Security (CIS) Organization . The following table provides a high-level summary of the purpose and intent of these frameworks and practices . Table 1-1 provides a quick summary of these frameworks. Check out online the web site securedbusinesso​ps.​com for additional details on these frameworks.

There are many other public, nonprofit, and commercial organizations that have developed methodologies and tools to prevent unauthorized access, detect vulnerabilities and incidents, and restore the service in case of a disruption. Most of them view security as a technical problem requiring a technical solution.

Anything Wrong with the Current State?

Nothing is wrong with technology solutions and practices, which are designed to address security challenges. Truly! The solutions and practices exist because there is a market for such products and services. What may be wrong is our mindset, our attitude, or our approach to planning and managing security. We find them quite like many transformative paradigms and revolutionized IT decisions in the past decades, such as Quality in 1980s, Automation in 1990s, Internet in 2000s, and Digital in 2010s.

Considering Quality, Automation, Internet and Digital have direct connection with customers and products, so one would think that business management would take a keener interest and ownership in driving, shaping, and exploiting them for business advantage. Eventually, Business did but it didn’t start that way. Initially, Quality was viewed as a manufacturing problem, thus it was left to the manufacturing plants to figure out what they could do to improve quality. Management considered quality as a cost of being in the business and a necessity for being competitive. Even after spending millions of dollars in designing and implementing quality processes, and auditing quality, many companies failed to create a quality culture and a sustainable quality advantage. Successful organizations transformed the business model and business strategy based on quality as a competitive differentiation. These organizations have realized the challenges for organizations to continuously produce or deliver quality products and services while simultaneously reducing the cost. Accordingly, they started managing quality as a differentiating organizational capability, posturing quality as a value driver, not as a cost to the business.

Technology has triggered many business innovations. For example, the Internet has provided global access and reduced barrier to entry and Digital technologies have enabled real-time access. It may seem obvious for business management to delegate planning and delivery of technology-based innovation to the technology group. At the same time, it is also obvious that most organizations are not being able to fully realize the potential of technology innovations . The reason is quite simple – technology alone does not create the desired change in the organization, and surely does not provide a sustainable advantage. The business management who understood and integrated technology-enabled innovation into business planning and governance enjoyed the trajectory of continued growth and highly satisfied customers, partners, and employees. If you have not already, you may want to find out – how many technologies have your organization purchased that have never been deployed? What percentage of employees has changed their workplace behaviors in response to a new technology solution? Are you surprised with your findings? What is the root cause of whatever you found?

What’s wrong with the current security frameworks and practices is exactly what has been ailing many of the past practices in addressing organizational challenges and transformation initiatives. Could you have improved and sustained sales growth just by implementing a customer relationship management (CRM) system without having the appropriate skills, staffing, culture, and processes? Could you have sustained customer loyalty just by implementing big data and social connections without having the customer-centric product design, development, and support? Can you avoid cost and realize the business value of IT just by outsourcing or going to the cloud? Can you be safe and secure just by building technological walls and barriers? Ask yourself and people around you, how current practices and management attitude are making us innovative and responsive while being safe and secure?

Transforming Fear Into Confidence and Advantage

Rather than asking what IT is doing to protect the business, the business should be asking what are they doing to run business operations uninterrupted, safe, and secure. Rather than viewing monies spent on information security as a necessary expense, organizations should be considering information security as a strategic differentiation. Information security is a business-critical issue. The fear of potential failure can’t be left up to the technology savvy people of the company to address with the notion that technology created this problem and only technology can solve it. The fear needs to be transformed into confidence that creates business value by embracing the challenge. The question is not, is security a business or technology problem? It is business critical to gain customer confidence, workforce confidence, grow the business, increase competitiveness, gain market share, improve productivity, and socially contribute to improve the living standards of the society. Security is not a technology problem; rather, it is impacting all the business drivers directly. Security should be tamed with confidence to improve business operations overall with the proactive approaches and not reactionary with fear. Ultimately, securing business operations will generate sustainable business value .

To get different results , we need to do things differently. We need new practices where we look at and manage security business down, not just technology up. Individual and technology accountabilities are not sufficient. It requires cross-functional decisions and collaboration for end-to-end securing of business operations.

The next chapter introduces the framework and a set of next practices for transforming the management approach and managing the organizational capabilities for achieving and sustaining secured business operations.