IT World Canada published an excellent article on May 6th: “Goldcorp vice president: ‘Simplify your IT strategy’”
The 3 Key questions asked by the GoldCorp VP need to be also asked by Information Security groups if we want to become more integrated and effective within our organizations.
1) What do we aspire to as an Information Security organization?
Traditional IS security has been seen as those guys who say “NO” and run the firewalls; aka impede business progress. In today’s world the vendors are often times talking directly to the business; resulting in the business coming to IS and security with “We want this Cloud Service / Software / x..” Therefore to move beyond the traditional view of IS security and become engaged with the business, a collaborative approach with the business is required to understand and articulate cyber risk in business terms. This will mean that IS professionals will need to understand the business challenges and embrace a certain level of risk (making sure the business understands what is being accepted of course).
2) How will this positively impact the organization?
By partnering with the business, information security resources can be allocated to the appropriate risk impacts to the organization, thus enabling business to continually to achieve their goals. The threat of cyber attacks is known to the business, just pick up a paper and there is an article about a cyber attack. Being able to talk to the business in their language allows for informed decisions to be made from a cyber threat perspective; resulting in the business proactively engaging IS and supporting its needs.
3) How are we going to bridge the gap?
Moving to a proactively engaged model requires the IS team to learn about the business in more detail and actively working with them and IS to find solutions to risks. At the same time one of the biggest value add the IS team has within an organization is working collaboratively with the Enterprise Architecture / Business Development teams. Looking ahead to what the business will need and impacts of new technology will have on the business, and preparing for it in partnership with the IS group. With the pace of change and technology in today’s world solving every problem with No risk is not possible; adopting a business aligned risk model will enable you to come to the table and have the right dialog with the business.
The information security team is critical in today’s inter-connected world for business to be competitive and importantly to remain help enable operational resilience to the increasing number of cyber threats. Working with our business and IT partners to understand their challenges and objectives, while providing articulated and business orientated cyber risk information is a winning combination.
Bjorn Gudehus is an information security expert.