Number 3 on my top 10 list for security executives: Focus

With all the changes in security over the years it is essential for successful security leaders to constantly evaluate where they place focus and ensure that their approach is not too myopic for the modern threat landscape.

This is the latest in a series of blogs based on my top 10 threats, trends and business priorities for security executives. My first two blogs in this series were History's Lessons and Reform.  This third blog will look at "focus."

Pre 1997

Security has gone through massive changes over the last couple decades.  Consider security before 1997. In many organizations it wasn't yet seen as critical and those who practiced the "black art" of information security did so because it was seen as a "nice to have" as many business leaders felt that the risk was low or simply didn't fully understand the risk.


Because of the perceived higher risk from around 1997-2004 dedicated security teams started to be formed in organizations that hadn't previously considered building a security beyond the part-time job of a system or network administrator. Security at this stage was very tactical and primarily based on deploying specific products like firewalls and anti-virus to address specific risks. There was generally little alignment between what the security team did as a function of IT and the rest of the company. As such security practitioners were painted in the the corner of the group that says "No" and stops "bad things." 


Regulatory mandates and compliance changed the game from around 2004 through 2010 when security teams refocused. This change resulted in bigger security budgets for solutions that would "check a box" and placate auditors. This made many security vendors very happy if their solutions fell into one of those boxes. If it made anyone more secure it was mostly by accident.  As HIPAA, SOX NERC, PCI and others became common vernacular for security teams their focus was squarely on regulatory mandates rather than security. While they had more product and maybe even more people, a compliance-based approach in many cases made security processes fragmented and lacking real security effectiveness.


From around 2010 through today we've seen security move beyond compliance and simple, segregated security silos. Through cross-device integration, automation and intelligence, security teams began to not just focus on their ability to prevent, detect and respond, but evaluate and measure time, ROSI and ROI. This phase was all about operational efficiencies with the assumption that the talent, techniques and technology were in place or at least the gaps and therefor the risks in their controls were well understood to the point where performance improvements became a new focus. 

Post 2014

Beyond 2014 there seems to be a swelling of support around alignment of security with business priorities. Security is becoming more strategic and seen as an enabler to embrace new markets, differentiate from competitors, take advantage of trends like mobile, cloud and virtualization and no longer be the group that just says "No" in order to stop "bad things." Security at this level is just as much about brand, customer retention, supporting key business initiatives and driving revenue as it is about traditional prevention, detection and response.


While there are some pretty broad generalisms above, this was done to express the point of focus and refocus for security executives. At every stage there as been a need to reconsider the mission of the security executive. If that focus is too myopic, the big picture will be missed.  

Consider a deer being hunted in the woods. The deer is only focused on avoiding the hunter. It keeps its nose, eyes and ears open and is ready to run and hide should the hunter get too close. The deer should be doing this and it needs to be doing this to survive. However, what the deer doesn't have is the big picture and that's the land developer that purchased those woods and is about to bulldoze it and build a shopping mall. 

Sometimes change is hard to see when your focus remains on the tactical items directly in front of you. A longer term, strategic focus, I might even say "vision" is required to take security to the next level which is strategic and aligned with business initiatives. To quote Jonathan Swift, "Vision is the art of seeing what is invisible to others."

Security executives must continue to focus on tactical variables. They even need to continue to focus on regulatory mandates. However, this must be done with one eye on the future and terms of how they move the security organization beyond what's expected and create an organization that's truly business-relevant. Security has never been "the thing." Security is the thing that gets us to "the thing." Just as sales and marketing help drive the business, so can security as we move the industry beyond bits and bytes into business.

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022