Gartner to Security Pros: Start Working with the Business

• By Dian Schaffhauser
• 09/29/09

Security professionals who want to protect security budgets during the downturn need to better align their operations with overall business goals, Gartner said last week. That includes treating users as customers and not as obstacles in the race to implement new security technologies.

During an information security summit in London, Research Vice President Jay Heiser told attendees that Gartner frequently sees security professionals make four risk management mistakes:

1. Imposing uniform protection and security spending practices across functional units in the organization. "An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection," Heiser wrote in a statement on the topic. "Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk."
2. Allowing technology versus business needs to drive security plans. "Security professionals have historically made technology-centric investment, implementation, and deployment decisions based on what they believe is required," Heiser wrote. "It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives." In situations where the business manager declines or refuses to participate in prioritizing risk for the business processes within their divisions, Gartner recommends bringing in higher-level managers to mediate.
3. Using jargon that business people can't understand. Instead of describing security concerns about IT systems, data, and processes using language that only other security and IT professionals will understand, Gartner recommends using a three-level scale--high, medium, and low--to specify priorities for risk management services.
4. Taking responsibility for risk decisions that really belongs to functional business managers. Frequently, business managers will assume that the IT organization's "standard offering" will address their unit's IT risks. "Such an approach makes the IT organization or the IT security organization the scapegoat for security failures and any consequent reduction in perceived service or flexibility," Heiser wrote. He recommends pushing ownership of the process of aligning risk with business benefits back to the business groups so that they're held accountable for failures in security and continuity in their operations.

"Simple, manageable risk assessment frameworks, explicit acceptance of residual risk, and security service level agreements will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," said Heiser. "The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services."

Heiser has written a Gartner research note, "Four Risk Management Mistakes That Threaten Your Security Budget" ($95), on the topic. Further information can be found here.