Business strategy or cybersecurity? Do you have to choose?
Handling everything from printer issues and password resets, to managing and maintaining large-scale infrastructure installation projects, your IT department has a number of responsibilities that provide huge value to you and your organization. They work hard to ensure that you have continuous access to the technology that will best enable your strategic goals for the business. Implementation of the right technical tools has an immense impact on production and profit margins.
In most organizations, IT is rarely involved in deciding business strategy, setting business goals or determining the company's risk appetite. Instead, its main role is to support and enable the business. In fact, most IT job roles do not have a focus on business strategy at all. The challenge arises then, when the same team that is tasked with implementing technical solutions, also are expected to secure the same technology by implementing security controls. These are decisions that affect not only the security of the organization, but that also have a direct impact on how individuals in the organization operate, thus affecting their productivity and ultimately the bottom line of the business.
Organizations often fail to understand that cybersecurity controls need to be aligned with the strategic goals and focuses of the business, and that the risk appetite of the company should be determining what kinds of controls are being implemented. When considering both risk and risk mitigation tactics for a modern organization, many believe that cybersecurity and information security can be handled solely by the IT-department. Because technology has become the cornerstone on which information security is based, whenever an organization needs to deal with a large threat or a breach, the CEO and the board of directors (if involved) often direct their questions to the IT department.
This misalignment in understanding the role of security and risk management and their direct connection to business management has led to a state of security heavily biased towards technical controls. Technology being developed, bought and implemented to manage technological risk, often only understood by highly specialized IT-professionals. This bias is not the fault of the IT-professionals – this is a complex challenge, one that has been created over many years by adding many small, seemingly insignificant innovations together in what today has become an interconnected world of information technology.
Each of these innovations are manageable by themselves – but when joined together in a complex, fast growing network of networks, while constantly adding new innovations that may or (more likely) may not have been tested and properly secured – we end up with what we are faced with today: a seemingly impossible task of securing people and organizations from cyber threats.
If we accept that information security is made up of three elements: people, process and technology, then isn’t it a bit much to expect the IT-guy or -gal to have all the answers to our information security concerns?
At Praxis, we think it is. This is why we focus on helping our customers to balance the three elements. Our team helps organizations like yours to understand how to leverage people, process and technology to reduce risk, remove friction and improve security. Contact our team today to learn how we support your organization to improve their bottom line!