• United States



Security not strategic? Sure, just like IT

May 13, 20113 mins
CIOCSO and CISOData and Information Security

CIOs who fail to grasp the strategic potential of risk management must have very short memories

Here’s a nice little bedtime story, taken from the corporate history books.

Once upon a time, there was a tribe whose members were called data processing managers.

They were kept locked in a glass room in the back office. Their job was regarded as merely tactical. “That’s not a strategic function,” said their company CEOs. And for a time, the CEOs were correct.

So the data processing managers developed a habit of kvetching, because nobody likes to have their work treated dismissively. And because they knew their CEOs were being shortsighted.

[Also read What is a CSO, part 2 for a perspective on how security adds business value]

Well, the world’s rate of change kept accelerating. New tactics became possible. When new tactics develop quickly, there is a direct impact on strategy. New tactics enable—no, require—new strategies. So data processing became information technology, and data-processing managers became IT managers and then CIOs. More and more, smart CEOs recognized that their formerly tactical IT guys had become strategic thinkers and business enablers.

What happened next was very, very interesting.

There was another, smaller tribe called security managers. They were kept locked in a subbasement underneath the old data processing glass house. Some of them watched video cameras and some of them watched networks, and both these jobs were regarded as merely tactical. “That’s not a strategic function,” said the CIOs. And for a time, the CIOs were correct.

Well, not surprisingly, the world’s rate of change kept accelerating. New tactics became possible. Security became more intertwined with fraud prevention and safety and asset management and operational resilience, because all these functions are centered around understanding risk.

And also because they found that a common set of network-delivered, database-driven risk-monitoring and evaluation services could start to provide real business intelligence. So the security managers became CSOs, and security functions started cooperating with those other functions and creating all sorts of risk-management models and services.

Well, some of them anyway. Great examples are coming in the June issue of our magazine (and will be available online, like all our magazine articles).

Now this chapter of our story isn’t over yet. (You get to write your own ending.) But a few things we can say for sure, based on studying history, now that it’s been repeated a few times.

We know that most people’s jobs are more complex than they look from the outside. (So offer some respect to your coworkers and your service providers.)

We also know that when a tactical field is changing rapidly, the strategy-makers better sit up and pay attention.

And most of all we know that when CIOs in particular say they have no interest in security because it’s merely tactical, they’re being astonishingly (and ironically) shortsighted.