Despite the enormous importance to business, IT compliance is often regarded as a distraction and a management burden. That's why we need to change the language used to speak about security at the board level.
While board members are seeing the headlines, they don't know what the real risks are or properly understand the potential costs. Security must therefore be seen as part of everything, not just a line item on a list of CIO concerns. After all, hackers have a strong focus on what they are trying to get at so companies need to have that similar focus on what they are trying to protect.
As security professionals we should ensure security is fully-aligned to an organisation's business goals and need to be thinking about changing the culture of security in an organisation to put security in context.
And a big part of that context is the changing landscape of security. IT security has advanced from firewalls and perimeters to being an integral part of the business. The ability to embrace new technologies and create better experiences for customers can make or break an organisation. Security is a key enabler in this process and should be regarded as being part of the core of the business. Good security builds trust with clients - and strengthens the business.
The way we work and interact with that organisation has also changed a great deal. We want to work from home, we want to have new devices all the time. The generation Y workforce wants to share information over the newest and coolest tools, anywhere, anytime. That adds up to the fact that users play a big role in driving technology decisions today and security groups need to work hard to put the right measures in place to enable users to conduct business the way they want to.
With these new devices, cool apps for productivity and ease-of-access come new threats and risks. In fact, 73 percent of organisations view mobile devices as a top risk area in their organisation.
Keeping up with threats
How do you keep up with the threats when they are changing every day and with every new application or device introduced by an employee? The answer is that we need to embed security into everything so that staff can work the way they want to - over Wi-Fi at Starbucks, on the device of their choosing.
That's also why we must start talking about these threats in a language the board can understand and act upon. The board is focused on business agility, cost savings and revenue generation. Security professionals should be explaining not only how much it will cost to protect against a risk, but also how much it would cost if this risk was exploited. In other words, we need to be saying: These are your risks, this is the cost, this is the value.
Sign up for CIO Asia eNewsletters.