We recently had the opportunity to discuss what's top-of-mind for the Security for Business Innovation Council (SBIC), a group of security leaders from Global 1000 enterprises including Boeing, General Electric, Walmart, SAP and ADP. If there's one thing SBIC members agree on it's this: security strategies that focus solely on prevention just doesn't work in a threat landscape that has dramatically grown both in volume and sophistication.
One SBIC member summed up the issue this way, "The traditional security model is defensive, but today security leaders are judged by how quickly they can not only detect, but also deal with issues and minimize damage. We can no longer rely on traditional security approaches."
As we looked across all the conversations, two distinct priorities rose to the top:
- Creating actionable information from large amounts of data
- The amount of data council members are monitoring is enormous as one would imagine in global, multinational companies. Everyone is looking for better ways to streamline the data and turn it into actionable information. As one member noted, "Getting the information is the easy part, understanding what you are trying to get out of it is hard."
- Interestingly, council members are exploring a variety of technologies and strategies to make the threat data they collect more actionable, including machine learning, behavioral analytics and staff realignment.
- Enriching board-level communications and developing C-level operational metrics
- Security breaches and the ensuing public disclosures have put the spotlight not only on CISOs, but on the increased investment companies are making in security infrastructure. With increased investment comes more oversight and scrutiny from company boards.
- Boards want security information in a language they can understand; they are familiar with financial metrics and ROI calculations and the pressure is on for security metrics to meet up with operational metrics.
- Council members are eager to develop metrics that align security with business operations. As a participant from the financial services industry commented, "The good news is that IT security is being talked about in the board room. Security is now a strategic asset to the business and in turn, CISOs need to be able to talk about business."
In a follow-on post, I'll take a look at how pressing industry priorities are informing SBIC member security agendas. In the meantime, you can learn more in the SBIC's previous reports like Closing the Gap on Breach Readiness and hyperlink to the RSA webpage for this a couple of different ways as shown or Focusing on Strategic Technologies.