Gartner to Security Pros: Start Working with the Business

Security professionals who want to protect security budgets during the downturn need to better align their operations with overall business goals, Gartner said last week. That includes treating users as customers and not as obstacles in the race to implement new security technologies.

During an information security summit in London, Research Vice President Jay Heiser told attendees that Gartner frequently sees security professionals make four risk management mistakes:

  1. Imposing uniform protection and security spending practices across functional units in the organization. "An optimal level of security spending takes into account the assessed level of risk, avoiding overspending and overprotection," Heiser wrote in a statement on the topic. "Business managers should be offered a relatively small number of risk management profiles that are designed to meet different use cases for data sensitivity and risk."
  2. Allowing technology versus business needs to drive security plans. "Security professionals have historically made technology-centric investment, implementation, and deployment decisions based on what they believe is required," Heiser wrote. "It is impossible to defend security plans, and the budgets they require, if they aren't based on business objectives." In situations where the business manager declines or refuses to participate in prioritizing risk for the business processes within their divisions, Gartner recommends bringing in higher-level managers to mediate.
  3. Using jargon that business people can't understand. Instead of describing security concerns about IT systems, data, and processes using language that only other security and IT professionals will understand, Gartner recommends using a three-level scale--high, medium, and low--to specify priorities for risk management services.
  4. Taking responsibility for risk decisions that really belongs to functional business managers. Frequently, business managers will assume that the IT organization's "standard offering" will address their unit's IT risks. "Such an approach makes the IT organization or the IT security organization the scapegoat for security failures and any consequent reduction in perceived service or flexibility," Heiser wrote. He recommends pushing ownership of the process of aligning risk with business benefits back to the business groups so that they're held accountable for failures in security and continuity in their operations.

"Simple, manageable risk assessment frameworks, explicit acceptance of residual risk, and security service level agreements will make it possible to deliver sound enterprise security, and to defend security budgets against cutbacks," said Heiser. "The first step that IT risk managers can take towards better alignment with the business is not to treat business managers as a problem that needs to be solved, but rather to regard them as customers who need secure and reliable computing services."

Heiser has written a Gartner research note, "Four Risk Management Mistakes That Threaten Your Security Budget" ($95), on the topic. Further information can be found here.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • digital lock with circuit patterns

    IBM Adds New AI-Powered Cybersecurity Tools

    IBM has unveiled an expanded portfolio of AI-powered cybersecurity products, positioning the company to compete more aggressively in a rapidly evolving market where enterprises are increasingly turning to artificial intelligence to defend against automated cyber threats.

  • Human Hand Assembling Digital Data Blocks

    Report: AI Impact Starts Relies on Strong Data Foundation

    High-impact AI implementations are more likely to treat data architecture, governance, and operationalization as strategic requirements, according to the 2026 Blueprint report from TDWI.

  • person typing on a touch screen schedule plan calendar

    Deadline Extended for ADA Title II Compliance

    Schools working to meet the Americans with Disabilities Act Title II regulations for digital accessibility have received a temporary reprieve: The United States Department of Justice has published an interim final rule to push back the compliance deadline by one year.

  • AI logo near computer equipment

    White House Issues National Policy Framework for AI

    The White House has released a four-page AI policy framework aimed at setting a national approach to AI, with priorities including child safety, intellectual property protections, truth and accuracy guardrails, and worker training for an AI-driven economy.