Striking a Security Balance: Evaluating the Four Classes

CISOs Navigate Security Investments with a Focus on Business Need: The Four Classes of Practical Security Unveiled.

Every Chief Information Security Officer (CISO) grapples with the challenge of safeguarding their organisation's trust while managing limited resources. In the complex landscape of security programs, a strategic evaluation against four fundamental classes—'Keep out of Jail,' 'Table Stakes,' 'Competitive,' and 'Advantage'—becomes pivotal to aligning security efforts with business goals.

The Mission of Security Leaders

Upholding Trust

Security leaders are entrusted with safeguarding the trust painstakingly built over years with customers, partners, the marketplace, and regulators. This mission gains complexity as businesses expand services while ensuring security, requiring clarity in the type of security investments made.

Maximising Outcomes with Constraints

The perennial challenge for security leaders lies in maximising security outcomes with limited resources, all while managing business and political capital to drive necessary changes.

Balancing Security Programmes

Unearthing Imbalances

A stark realisation of imbalances within a security program came to light during a collaboration a few years ago. Despite heavy investments in analytics-based platforms, foundational controls were neglected, exposing a misalignment between security efforts and business needs.

Risk- or Market-Based Approach

The missed opportunity highlighted the importance of a risk- or market-based approach to security controls and investments. Rather than being swayed by top-of-mind ideas or new technologies, security leaders must categorise controls based on their market impact and necessity.

The Four Classes of Practical Security

1. Keep out of Jail

Foundational Controls for Legal Compliance

- Prioritising foundational controls is imperative as criminal penalties are attached.

- Building a coalition of support is crucial, emphasising compliance to avoid legal consequences.

2. Table Stakes

Necessary Elements for Business Operations

- Controls essential for being in business, such as data protection for cloud service providers.

- Comparing against common frameworks like CIS or ISO 27002 helps identify reasonable table stakes.

3. Competitive

Meeting Current State of Industry Expectations

- Controls representing the industry's expectations for security, compliance, or privacy.

- Necessary for business growth, aligning with customer expectations and industry standards.

4. Advantage

Investment Beyond Current State for Market Expansion

- Controls that make a net investment to be above the current state of trust.

- A shared vision is crucial, demonstrating how higher trust levels can lead to significant market expansion.

Calibrating the Narrative

Transparent Communication

- Security leaders drive perception by calibrating the view to understand security in the context of a broader industry-competitive conversation.

- Transparent communication and consistency, both within and outside the security team, are crucial for success.

Beyond Specialist Language

- Extending beyond specialist risk language, a common taxonomy helps everyone understand classes of investment and their significance.

- The narrative for each class of security control is calibrated to build support for advancing the company's posture and unlocking business goals.

In conclusion, the journey of security leaders involves not just protecting systems but aligning security efforts with broader business objectives. By categorising controls into the four classes and calibrating the narrative, security leaders ensure that investments are strategically aligned, maximising the impact on trust and business success.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).