This blog post was originally published by teiss on June 13, 2022 and is reprinted here with permission
Traditionally, business leaders have seen security spending as something of a necessary evil: money that must be allocated to keep the business safe but also a cost that eats away at budget they’d rather be investing in the business. Security teams, on the other hand, have understandably seen security spending as something that should be a budget priority, given how essential it is to keep the organisation operating safely.
They’re both right.
Security spending does keep organisations safe – and in doing so, it also enables them to do more to create a competitive advantage and successfully pursue business goals. While it’s easy to think of security as a wall built to enclose organisations behind a safe barrier, it can be helpful in this context to see it as a bridge. Security is what enables the business to connect with the rest of the world and achieve more, safe in the knowledge that they’re protected.
The question of whether security is a cost centre or an enabler is not a new one, but it has taken on new importance of late, in light of the anticipated increase in security spending that has accompanied the shift to hybrid work, the rise of cloud operations and other developments that have led to traditional security perimeters falling away. Yes, it costs a lot to secure an organisation that can no longer rely on a formal perimeter – but that investment can pay off handsomely if business leadership and security leadership are aligned and committed to being both secure and bold.
The economics of the right security
Using security as a tool for business enablement requires organisations to know their risks and the cost of managing them – as well as the cost of not managing them. For example, what is the cost of a robust automated system for governing user accounts versus the cost of a breach resulting from those accounts going ungoverned? The hard cost of the latter may be immediately clear: a steep fine for violating GDPR, for example, if the breach exposes private data. But what about the cost in customer trust and organisational reputation? That may be incalculable, and the company may be paying for it for a long, long time.
Organisations today are increasingly seeing the business value of having strong security; one recent study shows a clear correlation between strong security and business success. And in a newish trend, cybersecurity committees are being formed that operate with board-level oversight in businesses. The takeaway: when business leaders see the marketing value and other business benefits of having a strong security team, as well as the steep cost of not having robust security, the relationship between security and business leaders can become less adversarial and more collaborative.
Where do you start? Consider identity
Security as a business enabler can encompass many areas of security, but a good place to start to talk about it is in identity and access management (IAM). Given that so many data breaches today involve user credentials (61 percent, according to the 2021 edition of the Verizon Data Breach Investigations Report), identity is inarguably an area where security investment is critical. After all, it only makes sense for organisations to spend on security in areas where they will derive the greatest benefit (or where they are at the most risk) and IAM certainly fits that description.
Without identity security on the front end of access to resources, organisations can suffer tremendous financial and other consequences from someone gaining unauthorised access to systems and information. Think of the Colonial Pipeline data breach of 2021, for example, in which hackers breached the organisation using a compromised password. Then contrast that with what an identity-secure organisation can expect: not to fear the consequences of a poorly secured business environment but to confidently pursue the financial advantages and other benefits that come with operating securely.
Watch Ingo Schubert’s conversation with teiss, “Security as a business enabler.”