Gartner to Security Pros: Start Working with the Business

  • By Dian Schaffhauser
  • 09/29/09

Security professionals who want to protect security budgets during the downturn need to better align their operations with overall business goals, Gartner said last week. That includes treating users as customers and not as obstacles in the race to implement new security technologies.

During an information security summit in London, Research Vice President Jay Heiser told attendees that Gartner frequently sees security professionals make four risk management mistakes:

  1. Imposing uniform protection and security spending practices across functional units in the organization. "An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection," Heiser wrote in a statement on the topic. "Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk."
  2. Allowing technology versus business needs to drive security plans. "Security professionals have historically made technology-centric investment, implementation, and deployment decisions based on what they believe is required," Heiser wrote. "It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives." In situations where the business manager declines or refuses to participate in prioritizing risk for the business processes within their divisions, Gartner recommends bringing in higher-level managers to mediate.
  3. Using jargon that business people can't understand. Instead of describing security concerns about IT systems, data, and processes using language that only other security and IT professionals will understand, Gartner recommends using a three-level scale--high, medium, and low--to specify priorities for risk management services.
  4. Taking responsibility for risk decisions that really belongs to functional business managers. Frequently, business managers will assume that the IT organization's "standard offering" will address their unit's IT risks. "Such an approach makes the IT organization or the IT security organization the scapegoat for security failures and any consequent reduction in perceived service or flexibility," Heiser wrote. He recommends pushing ownership of the process of aligning risk with business benefits back to the business groups so that they're held accountable for failures in security and continuity in their operations.

"Simple, manageable risk assessment frameworks, explicit acceptance of residual risk, and security service level agreements will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," said Heiser. "The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services."

Heiser has written a Gartner research note, "Four Risk Management Mistakes That Threaten Your Security Budget" ($95), on the topic. Further information can be found here.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • person signing a bill at a desk with a faint glow around the document. A tablet and laptop are subtly visible in the background, with soft colors and minimal digital elements

    California Governor Signs AI Content Safeguards into Law

    California Governor Gavin Newsom has officially signed off on a series of landmark artificial intelligence bills, signaling the state’s latest efforts to regulate the burgeoning technology, particularly in response to the misuse of sexually explicit deepfakes. The legislation is aimed at mitigating the risks posed by AI-generated content, as concerns grow over the technology's potential to manipulate images, videos, and voices in ways that could cause significant harm.

  • glowing AI brain composed of geometric lines and nodes, encased within a protective shield of circuit patterns

    NIST's U.S. AI Safety Institute Announces Research Collaboration with Anthropic and OpenAI

    The U.S. AI Safety Institute, part of the National Institute of Standards and Technology (NIST), has formalized agreements with AI companies Anthropic and OpenAI to collaborate on AI safety research, testing, and evaluation.

  • a glowing gaming controller, a digital tree structure, and an open book

    Report: Use of Game Engines Expands Beyond Gaming

    Game development technology is increasingly being utilized beyond its traditional gaming roots, according to the recently released annual "State of Game Development" report from development and DevOps solutions provider Perforce Software.

  • translucent lock composed of interconnected nodes and circuits at the center

    Cloud Security Alliance: Best Practices for Securing AI Systems

    The Cloud Security Alliance (CSA), a not-for-profit organization whose mission statement is defining and raising awareness of best practices to help ensure a secure cloud computing environment, has released a new report offering guidance on securing systems that leverage large language models (LLMs) to address business challenges.