Charles Bess asks:

How can security become a value add to the enterprise instead of being the constraint limiting flexibility and growth?

CIO Questions by Charles Bess, Fri, 06/14/2013 - 20:05




I would pose two questions: Are you playing offense or defense?  Are you playing to win or to not lose?
Most organizations play defense.  They play to not loose.  When you are on defense it means that the other guys (the bad guys) are on offense.  They are in control.  Organizations on defense, organizations who are playing to not loose, are motivated, by fear.  Talk to most IT security folks and they will spend their time telling you about all of the bad things just waiting to happen. True, it is a dangerous world out there and there are bad guys lurking in cyberspace, but too often IT organizations use the vague fear of a “security incident” as a convenient excuse to avoid being the innovators that organizations desperately need. The constant drumbeat of “we can’t do that because it isn’t secure” gets old pretty quickly. 
So how does one play offense?  How does an organization’s security function play to win and in doing so turn security from a constraint into an opportunity?  Here are three suggestions.
1.     Master the basics- Football legend Vince Lombardi famously began each year’s Green Bay Packers training camp by assembling all of the players (remember, these guys had frequently won the NFL championship the year before), holding up a football, and saying, “Gentlemen, this is a football.”  He always started with the basics, no matter how good they thought they were.   Master the basics of cyber security.  Have the proper safeguards, policies and internal practices in place. Get your own house in order.
2.     Explain why and how- Engage the organizations employees (the whole organization, not just IT) in a constructive and ongoing dialog about WHY cyber security is important, their role in it, and HOW they contribute.  Train people to be responsible instead of fearful. Use language that they can relate to.  Awareness is the first step towards prevention.
3.     Dialog not dictates- “We can’t do that, it isn’t secure.” How many times to people in your organization use these words as a first response to anything new?  More than you think, I bet.  Approach new initiatives and opportunities from the prospective of “How can we make this work” instead of “We can’t do that.”  Don’t be reckless but don’t be lazy and stubborn either.  It may take some work to figure out a workable solution but after all, isn’t that what you are being paid for?

(1) (1)

Would you like to comment on this content? Log in or Register.
Juan Nalda 11 Points | Sun, 06/23/2013 - 08:33

Security is not just about technology but is a whole company issue and therefore should be addressed as a collaborative work across all the areas. Regular security training is critical for keeping both company and customer data safe.  A Company Security Information Policy should have been communicated and trained regularly since in most of the cases risks are coming from inside the firm rather than from outside.

I’d say companies should build a culture of good personal security and don’t combine security and control with productivity. Acceptable User Policies (AUP) are needed but we must avoid mixing it with productivity policies. BYOD/Cloud Data/MDM are a good example where you can keep acceptable levels of security but at the same time increase employee productivity. I’d also advice to keep very sensitive data classified which is intimately related to preserve company value, and finally, make sure that IT staff who have regular contact with employees receive regular security briefings. IT staff are often the key to developing a culture of proactive security both through formal training and by proving and showing good security practice in their daily interactions with end users. Effective long term security requires a shift in mind-set that can only be achieved when regular staff training is a priority.

John Dodge 1535 Points | Mon, 06/24/2013 - 13:04

I agree, but above and beyond this are keeping loyal employees who care about their employer. So often, that is not the case. Disguntled employees will pay less or no attention to the security concerns of their employer. The love will be returned if a company offers upward mobility, good pay and benefits, interesting work and an innovative environment. Companies that live from quarter to quarter and care primarily about share price and bonuses will get a less sympathetic ear than those companies that cultivate and grow their workforces.

Pearl Zhu 90 Points | Wed, 06/19/2013 - 15:40

Security is part of Risk Management, thus, the organization's GRC maturity will decide weather your risk management effort is controlling only or it creates further value for business.

At lower maturity, organizations focus on risk migration, IT says "NO" when the new technology trends such as BYOD or social emerge; well, it may avoid certain risks, however, the oganizations also lose opportunity to improve productivity or customer engagement; at higher level maturity, from risk management to risk intelligence, organizations take holistic GRC solutions, to breakdown silo, cultivate the culture of risk sensitivity, understand every risk has opportunities, and every opportunity has risks, thereful, their next GRC practices will go beyond controlling, capture more value-added opportunities in transforming businesses for continuous growth. 



Jim Gardner 14 Points | Tue, 06/18/2013 - 15:02

There's no doubt that security is a value-add, but its also table stakes.

In my area, SaaS, essential security is presumed - table stakes. In that way, its a defensive move. Offensively, the incremental improvements, vertically oriented enhancementts, transparennt communications, that's all offensive manuvering for the security team. 

Just last week, HP SaaS CISO Nir Yitzak sat down with HP Cloud STrategist Christian Verstratae to discuss many of these same issues. That an be viewed here:

Ultimately, its about the company culture, and if security is more or less provided the stick (punishment for failure) or carrot (reward for finding workable solutions). I think there is a place for both in an enterprise (as a customer I don't want too many carrots offered, ass a businessperson, I don't want to discourage innovation).

John Dodge 1535 Points | Mon, 06/17/2013 - 22:26

No doubt, this is a hard question, Joel. You make great points - master the basics, get employees on board and launch bold initiatives. I can see traces of advantages in your suggestions, but as pre-requisites for good security. But how does security give you clear advantage in your market? Can it? Maybe not.

Joel Dobbs 339 Points | Tue, 06/18/2013 - 15:08

I think it depends somewhat on your industry.  For instance, for banks, credit card companies, hospitals and others that utilize personal or financial information, good security is a competitive advantage.  My bank regularly reminds me that the “security of your personal information is important to us.” This is a double-edged sword, however.  Boast too much about how secure you are and you will likely invite cyber attacks.  Hackers love a challenge. If you are in the R&D business, protecting your intellectual property has a direct long-term impact on your bottom line.  For some industries, heavy equipment manufacturing for instance, security is more of a defensive proposition.  The most likely damage a hacker could do is disrupt your production schedules.  No distinct competitive advantage but a business necessity.

Jim Gardner 14 Points | Tue, 06/18/2013 - 15:42

Strong security as an invitation to hackers is a Catch 22. For your banking example, the greater challenge isn't combatting hacks (they will always be with us) but creating security policies that effectively combat 'social engineering' (exploiting humans, not code) while at the same time not making the authentication process for customers an unhelpful and unwelcome barrier to doing business. It may be getting off topic, but this is now where biometrics has their edge... speed and effectiveness. 

Joel Dobbs 339 Points | Wed, 06/19/2013 - 15:22



I agree.   Engaging the organization and its customers is really how you address social engineering which, as you point out, is at the heart of most hacking.  Following the bank example, this means regular, clear and concise reminders about phishing, what these types of schemes look like, and reminders to never give out personal or account information to anyone, especially in response to an e-mail.  

John Dodge 1535 Points | Tue, 06/18/2013 - 15:15

So in the end, security is BOTH a constraint and a value add, no?

Joel Dobbs 339 Points | Wed, 06/19/2013 - 15:25

It cuts both ways, I believe.  Putting the necessary safeguards in place by their very nature imposes limitations.  Doing these well protects your employees and customers and is good for business.  Customers see the value when they feel like their information is secure.  The organization's history and reputation are the best advertisements for a well-implemented security program. 

Doug Goddard 123 Points | Mon, 06/17/2013 - 18:00

How can security become a value add to the enterprise instead of being the constraint limiting flexibility and growth?"

By being invisible, automatic or easy to use and unbreakable, inside or outside the firewall, on any business or personal device.


John Dodge 1535 Points | Mon, 06/17/2013 - 22:20

In a word, transparent. I think that makes it value-add and constraint neutral. How can security be used for an advantage (my bank is more secure than airline is safer than yours....)?

Bill Laberis 161 Points | Mon, 06/17/2013 - 13:29

Part of me says this is like asking 'how can a good roof and solid plumbing add to the value of my home?' when in reality a leaky roof and bad plumbing detract, but good stuff doesn't necessarily add. In certain businesses, say B-to-C online businesses, the security of your website obviously can and will add to the growth overall by assuring customers doing business there. But in general, I just don't know if this is really possible, and therefore question whether it is a noble pursuit in the first place.

Marinus van Zyl
Marinus van Zyl 1 Point | Tue, 06/18/2013 - 22:04

I agree that the question seems to be a bit of a paradox at first.

Perhaps we're looking at it all wrong. Let me also use a metaphor: how can ropes make you more free? Yes, it can bind you, but using ropes, you can also climb mountains, which you couldn't do before, and that is how it gives you an advantage in terms of freedom.

So in a sense, if we try to apply this metaphor to the original question, if your security regime is secure enough, it should allow you to implement features that would otherwise be impossible, thereby providing a competitive advantage.

Yes, this often have to do with transparency, and biometrics is great for this, for instance if you have this you could integrate access control and login to your computers into one system. Just the speed at which you can do a secure login is important in this sense. Also, you could integrate all staff, not just those that work with computers, even for example miners that are illiterate.

Or also, if you want to monetize your business or solution to your customers in some way, you would need more secure passwords, so having proper security could enable a whole new direction for your business.

Maybe even providing banking for illiterate people at ATM's, through a biometric login?

In a way, security goes hand in hand with identification, which could definately be a competitive advantage. Imagine a video camera identifying everyone that comes into the storage area for your stock, etc.

I'm sure I'm even thinking too narrowly still.

Charles Bess 93 Points | Wed, 06/19/2013 - 17:40

When you think about security, part of it is recognizing the desired action and stopping the aberrant behavior. Isn't that another way to talk about another space that has a great deal of data and opportunity -- marketing? If we think of security as not something special but instead having more in common with other parts of IT and how they add value, our perspectives can shift -- as you rightly point out.

Security techniques recognize new patterns of behavior -- good, bad or indifferent -- what can the business do with that knowledge?

Security approaches try to identify where people are coming from, where they are going, what they are doing while they are interacting with the business -- what other parts of the business are interested in this sort of metadata?

As I've mentioned to others (particularly around disaster recovery and cyber-attack avoidance), it is not usually our lack of preparedness that we need to worry about, it is our lack of imagination.

John Dodge 1535 Points | Wed, 06/19/2013 - 12:51

Your metaphor is great, Marinus. That's the best answer so far, IMO.

"So in a sense, if we try to apply this metaphor to the original question, if your security regime is secure enough, it should allow you to implement features that would otherwise be impossible, thereby providing a competitive advantage."