Security Takes Sides with Lines of Business

The biggest discovery in this model is the shift in influence from technology decision-makers to the lines of business

Security product and services vendors once sold best-of-breed capability to expert security staffs. It was a pure sell of security for security’s sake. The enterprise decision-making process for security has changed and security vendors must adapt to the new model.

Security vendors must now address three areas to win an account:

• Security: The enterprise relies on the security team to evaluate and recommend security technologies and sources of specialized service expertise. In internal planning discussions, the security team examines risk factors to the business and anticipated costs required to reduce those risks.
• Information technology: The enterprise looks to IT for cost-effective deployment strategies within the existing infrastructure; support strategies for users and application integrity; and required skills or external resources necessary to meet the business requirements. The IT team assesses the costs involved in managing the application and security deployments.
• Lines of business (LoBs): The LoBs set the prioritized agenda for business initiatives, define business requirements and make the ultimate decision on application/IT security balances. The LoBs’ concerns center on revenue generation, customer account acquisition, individual customer satisfaction and quality of service.

Model Results and Conclusions

The biggest discovery in this model is the shift in influence from technology decision-makers to the lines of business. We expect security budgets to grow in 2004, with actual budget allocations controlled by the lines of business.

Changes in sales and marketing behavior for successful security practices are required:

Security teams no longer have central funding to try new technologies and easily champion new companies within the enterprise. Emerging security vendors have difficulty gaining toeholds in an organization; larger incumbent vendors are more difficult than ever to displace.

Security vendors must work past enterprise security teams to get direct exposure to lines of business. The lines of business influence decisions most heavily. Security vendors must express their value in terms that are meaningful to business managers. Vendors and chief security officers must educate each other on how to best identify product and service capabilities with business needs.

CSOs are more conservative in presenting security vendors for approval. LoB managers that are not experts in security are more apt to be swayed by a vendor’s reputation, with inherent confidence in its ability to manage a future problem should something arise.

Enterprises are forcing security vendors to consciously articulate benefits for the critical influencers, which include leading-edge security performance for the CSO; low-cost management and integration capability for the CIO; and preservation of business service confidentiality, integrity and availability for the COO.

Enterprises are shifting organizational reporting structures, budget responsibilities and decision processes for security purchases. Two of the three critical influencers of security products and services are being aligned to support lines of business.

Enterprise executives that have survived the expensive excesses of PKI, Y2K and IDS are wary of overhyped security claims. New security purchase decisions will need to map into corporate plans for supporting business goals in an easily managed manner.

Enterprise Recommendations

• Involve your security team early in application selection processes. Security is integral to applications exposed to the Internet and seldom can be effectively bolted on after the fact. Have corporate security architects participate in defining requirements for new initiatives, evaluating vendor responses and evaluating acceptable business security trade-offs.
• Consider having CSOs report to the CFO or COO. Security organizations that report to CTOs or CIOs tend to prioritize according to technology or operational costs, respectively. Align with the chief financial officer or chief operating officer to better align security with spending from lines of business and integrate with business processes. Shift security metrics from ROI to reduction of risk (ROR) to better reflect security’s contribution to the business.
• Make security organizations tin-cup internal users for budget allocations. This forces security to justify its existence year-on-year by showing value to lines of business (customer-focused), audit teams (regulatory and policy compliance) and IT (infrastructure-oriented). Security is important to the business and this is the most effective means of measuring internal benefits.