The importance today of managing an ideal holistic security project, which guarantees the continuity and growth of the business and companies.
by Gigi Agassini, CPP*
Technology is a very powerful tool that only continues to increase and constantly change to meet daily needs and challenges, the truth is that within the numberless offer we have today, we hardly stop a little to analyze before acquiring it, and it is even more difficult to stop to think about what we have, and if possible that we add more technology to what already exists. Starting from the three most important elements for any organization:
- People
- Processes/procedures (under legal framework)
- Technology
The perfect balance between the three is what will lead us to that operational efficiency that many corporations suffer from, but are also looking for. But where is the disconnect to choose technology or why is it so difficult to achieve operational efficiency?
Well, there are several answers to this question, but it all lies on the same basis: communication. And it is so difficult for the areas to talk to each other and many times isolated decisions are made, which opens other variants of risk for the business. We know that security is transversal to the entire organization, as well as Information Technology (IT) Who should choose the technology? And this is where a disconnect between areas begins, which only has an impact on the business, unnecessarily increasing different risks such as cyber threats, lack of scalability, little flexibility, technology in silos, high maintenance costs, among others.
The most common thing among companies when acquiring security technology, regardless of size and / or type of business, is to do it outside the rules and policies of the IT Government. But why should we align ourselves with IT policies?
Let's take a look and analyze a little about the importance of aligning with IT and that is that they seem like two independent areas, which are managed differently, with different knowledge and responsibilities and yes! The truth is, yes! Each area has different responsibilities and challenges, however the topic "security" in both areas complement each other and it is extremely important to align with regulatory compliance and international standards that IT has designated to align with the business strategy and manage the risks of information security, protection of personal data, cybersecurity, among others.
The importance of an IT governance is precisely the complete alignment with the business strategy, which will provide at the same time the fulfillment of its objectives, with an adequate risk management.
In physical security there is an international model for risk management (ESRM – Enterprise Security Risk Management) that precisely allows us this alignment with the business strategy and where the knowledge and management of this "practicioner" is tacitly marked in several topics, including cybersecurity, personal data protection and information security, to mention just some of the different areas of knowledge that must be counted on and is that is that a mistake, and today more than ever, to think that the physical world is alien to the digital world.
Most organizations have an outdated structure, even with old-school thinking, and unfortunately the vast majority of companies think they are investing in security insurance by acquiring technologies, but unfortunately they do so without any consideration or understanding about cybersecurity risk; organizations still have little understanding of their risk tolerance.
The lack of alignment between corporate governance and IT governance will continue to open a gap in organizational structures and leave unresolved the most important problem today in any organization: communication and decision-making, as well as the acceptance of risks by each "stakeholder", as this entails an "accountability" that is directly related to the entire organization.
Erroneously we continue to think that just because we have a security person, he has all the responsibility that "nothing happens" but things will always happen and when this happens, only one head is targeted. Continuing on this path, which is the old-school path, continues to increase risks for the business, leaving security plans (if they exist) obsolete and turning "security" into something commercial or into the thought of denial: "if it has not happened to me, I do nothing", and although it is evident that we have around us worrying situations of cyber attacks, theft of information, illegal intrusions to companies, operational stoppages to companies and the list continues only to increase, we are still immersed in the denial that "it will not happen to us" or that probably if it happens to us "it will not be serious".
Without security we have no business
What are we doing to bring that continuity to the business in a holistic way? We know that the main business of every organization is not security, however, without security we have no business and today the risks grow, are modified, increase and are transformed. Technology as an ally to our processes and procedures is constantly changing because the challenges continue only to increase, and then, why do we want to continue doing things the same?
It is true that the pandemic accelerated several years of digitalization in all organizations, so today they focus on making money and a business transformation, because we have seen that any organization that does not seek to innovate will not be able to exist for a long time. Technology should allow us to grow, reduce costs and achieve greater operational efficiency. However, without a culture, thinking and lifestyle in security, any project will have an uncertain future due to the constant increase in cybercrime.
As soon as we think differently and focus our decisions towards a security transformation and our cybersecurity concerns, all those initiatives, new products, etc. of the business, will reach their maximum potential.
Certainly all elements of the business, such as financial forecasting, product development, operations, business development and company evaluation, should revolve around based on a safe environment. Achieving this requires a broad understanding of cybersecurity in order for organizations to see the overall impact; and to get to this point, we need to think differently and do things differently. Security is the responsibility of the entire business and starts from the "Board of Directors"; The entire business ecosystem must be, "by design," embedded in a holistic security culture.
If we want to ensure the continuity, survival and expansion of the business we must guarantee that the three elements of any organization are in perfect balance: updated operational processes and compliance with regulations and international standards aligned with the objective and strategy of the business, technology as a support for people to be more efficient and that our detection and response plans are constantly updated and dynamic, for they are living documents.
Without all of the above we will continue on the same path and organizations will continue to fail significantly reducing the results expected by the business. Let's not forget that security first, security second and security in the latter, but not traditional security, but rather holistic security, security that today in a digitized world is leading organizations to a point of no return, for not taking the right measures and adapting to change.
What every business must take care of are people (suppliers, employees, customers) since the organization will be automatically taken care of. Let us remember that security is one for all and all for one!
* Gigi Agassini, CPP
International Security Consultant
GA Advisory
[email protected]
