C-suite and IT must collaborate for safer businesses

"Business-driven security" is the name of the game at RSA Conference 2017

Security professionals need to come together with business decision makers in order to find solutions that can serve the needs of both. That's according to Zulfikar Razman, CTO of RSA.

In his opening keynote at RSA Conference 2017, Ramzan talked up the need for "business-driven security", which brings the needs of both together through collaboration.

"Security isn't just a technology problem, it's a business problem," Razman told the several thousand delegates in attendance.

"The inability to draw connections between security details and business metrics is what I call the gap of grief. Corporate executives don't care if an incident involved SQL injection or cross-site scripting. They'd like to understand the business implications."

There are three key elements to making business-driven security work, said Razman. First, risk should be treated as a science, not a dark art, using consistent and rigorous methods for analysis. Second, businesses should simplify what they control for example, the number of different security solutions they use.

"I spoke to one chief information security officer recently who has 84 different security vendors. Eighty-four! How do you manage that many vendors? How do you justify to your board and executive suite the return on investment from these vendors? You can't," said Razman, urging companies to only use those that truly bring value to their business.

Finally, organisations must plan for "chaos they can't control", said Ramzan, which means an incident response plan that has the 'ABCs' availability, budget and collaboration.

On availability, Razman said an incident response plan shouldn't be a wishlist; it needs to be solid. "It sounds obvious, but it's such a common mistake," said Razman, giving the idea of putting "empty fire extinguishers in every hall" as an example of good intentions that will in fact be useless in a real emergency.

Budget, he added, is absolutely vital, because there will be unexpected costs.

"An incident response plan without budget authority is a fairytale," he said.

The final element collaboration is important because every department, from finance to legal to marketing and others all have important roles to play when an incident takes place. Therefore, these teams must be working together beforehand, during the planning phase.

"People will be working 24/7, camping out at the office. That's not the time for introductions," said Razman.

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

Image credit: Jane McCallion

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020