Security Priorities Blog Series – Part Three: Keeping a Strategic Focus is Difficult
By: Bob Bragdon | 01/09/2020
When a security team can focus more of their time addressing strategic issues, as opposed to tactical ones, we know that a host of benefits can flow from that. Less downtime, fewer breaches, and fewer financial losses, to name a few. The challenge, for any organization, is that there are always those tactical issues that drag them away from their strategic focus and consume their time and resources. In part three of my multi-part 2019-2020 security priorities blog series, I’d like to cover the role of strategic focus.
#1 – Governance and compliance regulations
Businesses can spend inordinate amounts of time focused on meeting governance and compliance regulations, and very often show little benefit for their efforts. The past two years have seen organizations dedicate massive resources towards achieving compliance with GDPR, CCPA, and other regulations. Of course, the questions is, “did they get any real reduction in risk for all those efforts?” The jury remains out on that question, but over the years we’ve found that, given the opportunity to invest their resources in a way they feel would most effectively address their risk environments, they would invest those resources very differently, and they believe, more effectively.
#2 – How to demonstrate return on investment
Of course, the realities of budgetary constraints and demonstrating a return on investment are classic tactical issues that will always pull people away from their strategic initiatives. But there are ways to manage and prioritize them so that one can minimize those demands and help to sell the value of security up the corporate food chain. Much of that has to do with having a clear understanding of where your organization stands relative to its peers. Where are you ahead of them? Where are you behind? How does your security posture stand in relation to the risk appetite of your business?
#3 – Employee awareness & cooperation issues
Again we are visited by the recurring theme of employee awareness & cooperation issues. If your users aren’t well trained and tested, they will continue to make mistakes that will force the security organization to re-focus resources on mitigating the events caused at the hands of users. This, again, speaks to the importance of having a strong user training and testing program in every organization.
Continuing our look at the results of the 2019 IDG Security Priorities Study, the next blogs in our series will examine staffing challenges, security budgets, where those budgets will be focused, as well as examine the technologies that have the attention of security buyers today and in the future. (Hint: I wouldn’t be surprised to see a lot of focus on zero trust and the role of the cloud.)
Catch up on the Security Priorities blogs you may have missed:
Part One: Top Priorities for the Next 12 Months
Part Two: Where Security Falls Down