For organisations to obtain a proper alignment between security and business, the chief information security officer (CISO) must take a central role between executive management and information security strategy.
This is according to Johann van der Merwe, head of information security at De Beers Group, speaking at the ITWeb Security Summit, at the Sandton Convention Centre, yesterday.
In his presentation, “Aligning Security with Business”, Van der Merwe noted that as the scope and complexity of technology's contribution increases, so does the role of security.
“In order to provide leadership in this position, CISOs need a clear vision for security, the ability to communicate its relevance, and the managerial discipline to deliver its full value.”
Van der Merwe also pointed out that with the mission of security expanding, the CISO faces a new test of leadership, one which requires essential disciplines in planning and communications.
He also believes a change to security's typically fragmented infrastructure is needed. “One that promises to yield strategic cost savings for companies that address security from a comprehensive perspective.”
Like their physical security counterparts, he added, CISOs need to be able to define, in business terms, what the strategy for security is, what activities or projects they are working on, and how these align with the organisation's goals.
According to Van der Merwe, all businesses face different vulnerabilities and they should articulate these risks accordingly.
“Organisation should always consider factors such as legal, economic, technological, political, as well as social or moral, all of which affect businesses differently.”
In order to align business and security, Van der Merwe urged organisations to implement security controls and understand the value chain.
“To understand risk in a business context, organisations must always evaluate the likelihood of threats, vulnerabilities and the impact of these.”
For analysing threats, he explained that businesses should consider their capabilities and opportunities, as well as the desired outcomes.
On the other hand, he added, vulnerabilities in organisations are found in people, processes, technology, structure and architecture.
“To check these vulnerabilities, it is critical for businesses to implement information security governance, information security management, and information security controls, and they should also analyse their inherent weaknesses.
“These vulnerabilities and threats can have an impact financially as well as operationally. The impacts can be customer-related as well as employee-related.”
Share