The Connected Enterprise is opening new opportunities for business, for innovation and for growth - it is a fundamentally important imperative for today’s business world. But it does not come for free: there are a number of caveats to circumvent, risks to address and changes to execute.
One important activity is to re-shape your security leadership.The Connected Enterprise makes a number of changes necessary: implement a holistic security management beyond technology domains, move from an asset-oriented towards a risk-centric protection strategy, and move fundamentally closer to the business.
A holistic security management integrates all necessary security disciplines, independent of the technology of organizational area. Whether IT security, personnel protection, physical safeguards or process security controls: since the Connected Enterprise requires a high level of flexibility in the protection measures employed, it is necessary to be able to choose among all possible protection measures and controls to pick the one that not only theoretically protects „at best“, but also allows fast reaction times and short returns on invest.
The classical security paradigm „know your assets, and how to protect them“ becomes more and more difficult to follow in the connected enterprise. The primary reason is that the assets themselves are no longer the „stable entity“ in the business architecture - instead, they serve as resources that feed the value creation through connectivity. The way out for security leaders is to start thinking in risks instead of assets and protection goals. Furthermore, security leaders can no longer rely on a mid-to-long term validity of the „security ground work“ - instead, they need to adopt a „daily risk posture“ approach and accommodate to quickly change focus - just like a police department in a vibrant city.
Classical security practitioners and leaders either have a security services or a technology background. In both cases, they understand themselves as „mastering“ the security of the enterprise through their specific expertise. Due to the fast pace of the Connected Enterprise, they will more and more lose their value. The way out for security leadership is to „sit by the business“ - that means, to help business leaders to evaluate the risks, and enable them to securely develop their business. In the CISO speak: protect the „I“, not the „T“ in Information Technology.
These three recommendations will help organizations tackle the constantly changing security posture of the Connected Enterprise successfully. If you are ready for a certification, then you should go for an ISO 27001 certificate - the new 2013 program requires to set up your security leadership and organization along these lines.
And what skill set should security leaders strive for? They must be consultants, coaches, awareness experts and auditors at the same time - technical expertise is no longer the primary imperative, it is much more about social skills that help convincing the business to take their risks seriously. And if they are successful, they will greatly contribute to the value creation in the Connected Enterprise.
This article was originally published in the KuppingerCole Analysts' View Newsletter.