The dichotomies of business intrigue me. How, on one hand, can we see the role of the CSO become increasingly aligned with the business, resulting in elevating the CSO in the reporting structure to a senior-management position, while on the other hand, we see some businesses just don't really "get" security at all? It makes me wonder what's going on out there.
Last month in CSO, Bill Brenner showcased the results of the 2011 Global State of Information Security Survey, the annual report we conduct with PricewaterhouseCoopers and CIO magazine. Among the more interesting findings was that the requirements of clients are becoming a major justification for security investment at organizations of all sizes. These client demands are a natural evolution of the 50-page tell-me-about-your-security questionnaire that many of you receive from or require of your partners. Security is becoming a business-enabling, customer-focused arm of the business, and failing to have good security measures and practices in place limits your organization's ability to successfully engage partners and drive new business.
Here's one example: I spent some time this month with an attorney friend of mine who specializes in information security law. One of his clients was looking to move some of its services out to the public cloud.
After evaluating possible cloud service providers, they narrowed the field of vendors down to two: a large, familiar cloud provider, and a smaller upstart. As part of the final evaluation process, the client asked the providers about the security of their infrastructure. The large cloud service provider said not to worry about it, the company takes security very seriously. The client asked to speak with the vendor's CSO or CISO and was told that there was no such position at the company.
The smaller service provider, on the other hand, responded that, yes, it too takes cloud security very seriously, and would be happy to bring in its CISO for a debriefing. The smaller firm said it understands how important security is and was able to back up its statements.
The smaller company, though slightly more expensive, got the business. It took security seriously.
Businesses need to understand that good security is a business benefit. Many already do. Some still do not. In this age in which we are all connected to our partners, suppliers and customers, "getting" security is a requirement for staying competitive. Those businesses that understand this can turn it into a competitive advantage. If you have not done so already, I urge you to set a up meeting with your VP of sales or COO and teach her about how seriously your organization takes security. Go beyond the fact that you may be PCI compliant or have a SAS 70. Give her the tools that will help her sell what your business does.
Doing so will only increase the understanding in your company that security is a business driver, not a cost drain.
Read more about data protection in CSOonline's Data Protection section.
This story, "Win business by taking security seriously" was originally published by CSO.