The role of security in business is constantly up for debate, a growing movement in the UK around adopting some of Simon Wardley‘s approaches to strategy to a security strategy has started some interesting conversations again.
For years security was seen as the department of no or the guys that spend increasing amounts of money on controls of dubious importance but that sit on industry-standard lists of good things to do.
A business exists to generate value. It’s that simple.
Value can be a slippery term that might mean earning money as a result of selling products or services but can often incorporate other ideas such as social benefits. Understanding how a business defines value is an important task for every security leader.
There are two things that people working in a business do, they either generate value or they protect value.
People who generate value generally do one of three things:
- Sustain Current Value Generation by maintaining and operating the value generation systems and processes.
- Improve Current Value Generation by changing the value generation systems and processes to deliver better resilience, reliability or efficiency.
- Create New Forms of Value Generation by building new value generation systems and processes.
Protecting the value generated by the business is what finance, legal, privacy, human resources and security do. I think many of the historical challenges of security teams is that they too narrowly focused their efforts on protecting the existing value that has been generated and the value-generating engines that are in operation. Change is seen as a risk to those engines and is avoided by security teams leading to the department of no culture and accusations.
There have been several attempts to rebrand security as ‘business enablers’ and in some cases to run as profit-making internal businesses. Interestingly research has shown that while security practitioners have contorted themselves to deliver these concepts the main stakeholders don’t particularly care.
At the core, our stakeholders care about protecting against data breaches, protecting about bad press and protecting against negative regulatory actions. These are things that can damage business value. They also care about having confidence that this has been delivered.
One of the reasons security functions can become dislocated from protecting broader business value and gain a terrible reputation is by focusing almost exclusively on the first part of value generation (Sustain) to the detriment of the other parts (Improve & Create).
Security needs to protect business value across all three types of activity, this includes protecting the increased value generated by improving current value generation as well as protecting the future value that will be generated from new forms of value generation.
This change in focus is what you see in security teams that are seen as flexible and partners by product teams and development teams. The so-called ‘enablers’ don’t try to generate value but understand and accept the broad scope of protection of value that stakeholders actually expect.
Does your security strategy, programme or gut feel management protect all types of value generation?