Enterprise Information Security is about Progress

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is never a point in time at which we have adequately addressed all of our technological risks. The rate of exploit discovery and the lifecycle for fixing vulnerabilities ensures that we will always have open issues.

With that reality in mind, we need to reconsider what makes a successful security program. Security should focus not on an end goal of “good enough” but on an end goal of sustained improvement.

Security Over Time
Security can often come across as a demanding, RIGHT NOW discipline. And there are some good reasons for it. We know that hackers could break into the network right this moment, and that gives us real urgency.  The newest hacks from researchers show that even most trusted systems are vulnerable to exploit. The reasonable first response to this is to jump into action and immediately fix the issue.

But when we work with the business, the reality is much bigger than just security. Our partners in the business have to worry about losing customers because they don’t delivery our products on time, competitors out-innovating us, risks of financing falling apart, and many other business issues that could damage the business just as much (or more in many cases) as a security incident could. In the background of all these competing interests, a security manager who continues to insist that our vulnerabilities are the number 1 priority is going to get tuned out, or worse.

As soon as we stop enabling the business to produce better and faster, we become a liability.

What we can do instead is collaborate with the business to come up with a long-term plan for implementing security that does not inhibit innovation and progress by the business, and shows sensitivity to the overwhelming demands that they are often under. Yes, the plan we agree on must take the organization to a level of acceptable risk. But we can do so over months and years instead of days and weeks, show improved security over time, and develop trusted partners within the business.

Enterprise security is a service function. We exist to enable the business to do their jobs without being crippled by cyber-attacks and unreliable systems or losing their trade-secrets to competitors. As soon as we stop enabling the business to produce better and faster, we become a liability.

Connect with


One thought on “Enterprise Information Security is about Progress

  1. Enterprise Information Security is About Progress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s