A focus on firefighting
Taking risks is a key part of running a successful business, and many leaders will take a ‘without risk, there is no reward’ approach to business transformation. This makes it hard to push security teams as enablers of digital transformation given the traditional security mindset of ‘block all risk’ – the unfortunate reality is that in the majority of UK organisations, security teams are unable to demonstrate their business value beyond the deployment of technology and threat mitigation.
Today’s businesses operate on a global level, engaging with businesses across the globe and using countless different technology solutions. While these tools are typically designed to boost productivity, they can easily have the reverse effect as a result of platform proliferation and the maintenance burden that comes with poorly deployed technologies. To make things even more complex, the security habits of the large majority of UK workers remain questionable even amid a rising number of data breaches, with password reuse commonplace across different platforms and workers falling prey to phishing attacks. As a result, security teams are having to focus on everyday firefighting rather than the long-term optimisation projects which will give them a seat at the table of business transformation.
To shift the perception of security teams as business blockers, they must be proactive in demonstrating their impact – but how can this be achieved?
Risk management as a priority
A good place to start would be to focus on the areas seen as adding the most value by board members. IDC research shows that almost half of UK enterprises (42%) see risk management as the key value from security teams, and harnessing identity and access management (IAM) provides teams with key opportunities to prove themselves in this area.
There are various tools available to make the IAM experience as seamless as possible for users. Having a tightly-knit security environment is essential and involves a combination of multiple elements – key components include single sign on (SSO) capabilities, multifactor authentication (MFA), enterprise password managers (EPM), as well as management dashboards. Together, these tools help to limit the potential knock-on effects of poor security awareness and reduce risk at a general level by minimising the impact of insider threats.
That being said, the deployment of disparate tools can be counterproductive and add to the complexity when done badly. Security teams are already struggling under the burden of managing conflicting technology environments, and so these tools need to be implemented intuitively if they are to provide the most business value.
In comes unified security
There are clear opportunities to deliver this transformation through the adoption of a unified security approach. By this, we mean the integration, rationalisation and centralisation of security environments into a holistic ecosystem. Adopting such an approach can help improve the operator experience and make things simpler for the teams charged with maintenance – while also providing a cure to the headaches caused by platform proliferation.
Not only this, but a unified security approach is a key enabler in helping security leaders engage at the board level by delivering cost transformation. An integrated security environment will serve to streamline operations for security teams, allowing staff to focus on higher value tasks while automating repetitive processes. In business terms, this means clawing back up to 155 days’ worth of effort for the average UK security team. Clearly, cost reduction and operational efficiencies are central to demonstrating business impact, but they should be viewed as a starting point rather than a security teams’ entire value proposition.
Speaking business language
Adopting a best-of-breed approach to identity offers countless benefits for businesses as a result of more effective risk management and improved cost efficiencies. In addition, this provides ample opportunity for teams to prove their value. It’s up to security leaders to engage with the board to ensure general awareness of these approaches at the necessary levels.
This means using the appropriate language, refraining from focussing too much on technical KPIs such as the volume of data transported or the number of systems with known vulnerabilities. Instead, they should adopt KPIs which relate to business outcomes in order to measure their impact and resonate the most at the board level – think risk mitigation, cost reduction and workforce utilisation.
Earning a seat at the table
In the return to normality, business leaders will be taking stock of the lessons learned to ensure mistakes are not repeated. Enterprise agility will be mission critical to accelerate growth and stay afloat in a sensitive landscape, and this will mean making digital transformation a reality.
Now is the time for security teams to shift their reputation as business blockers and prove themselves as transformation enablers. Doing so will involve taking proactive steps to improve security awareness across an organisation, helping to free up the time and resources required to push for longer-term optimisation projects. Winning a seat at the table on new initiatives will ultimately involve gaining the required credibility, and security leaders can do this by speaking in a language that resonates at the board level.
By Barry McMahon, Senior Manager, Identity and Access Management at LastPass
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.