Benchmarking your way to a more mature IT security posture

Many business and IT leaders are today being challenged to reconsider their established security practices in order to simultaneously address the constantly evolving threat landscape and drive the business forward. Under such conditions, the implementation of a mature security program is an absolute must.

Such a program should aim to make sense of the complex interplay that exists between technology, processes, and people. And with effective risk management capabilities sitting centre stage, the focus should be on enabling the organisation to safely undertake its digital transformation journey.

However, many organisations do not have the security maturity required to make integrated risk-based decisions and enable optimised controls in the right place at the right time.

This is a common challenge here in the Middle East, and it was with these struggles in mind that we developed a IT Security MaturityScape Benchmark to help business and IT leaders gain a clearer picture of the challenges and opportunities that digital transformation can introduce to their enterprises.

The value of investing in improving security is significant, and the benchmark enables businesses to assess their organisations’ competencies to foster and leverage security maturity with respect to five key dimensions — vision, risk management, people, process, and security technologies.

Based on the benchmark results, those organisations that are capable of achieving greater business outcomes tend to have greater IT security maturity across all five maturity dimensions.

When it comes to defining a vision for their security strategies, organisations have two clear choices: they can protect themselves against routine attacks and only acquire tools when the funds are available; or they can choose to protect themselves against advanced threats and put comprehensive compliance procedures in place to address the management of sensitive information and customer data. Organisations that go for the latter approach must have access to a well-defined security budget with all the right metrics and qualitative in place to justify spending.

From a risk management perspective, they may seek to conduct a gap analysis or cost-utility analysis. I also urge them to employ sophisticated controls for both on-premise and cloud environments, with such controls based on properly defined frameworks.

When considering the people dimension, organisations should include security executives in board-level discussions and encourage them to engage with all departments to provide guidance on the technology risks associated with any proposed business initiatives.

In terms of process, organisations must no longer rely on their employees adhering to simple acceptable-use policies for IT resources. Indeed, they must now look to introduce much more dynamic policies that are updated on a regular basis to take into account the latest threats. And when it comes to selecting the right security technologies, I urge enterprises to look beyond point solutions and instead embrace a much more holistic approach to addressing their security requirements.

To stay ahead of the competition, organisations need to become more proactive in addressing security challenges and creating security programs that focus on the most critical aspects of the enterprise’s business needs, target outcomes, and competitive environment. And by leveraging higher IT security maturity, organisations will enjoy more competitive advantages within the context of the third platform — built on cloud, Big Data, mobility, and social — and the digital transformation of their ecosystem.

Improving IT security maturity involves a multidimensional journey that adapts current organisational processes, technologies, and human resources to the requirement of the enterprise’s business strategy, target outcomes, and competitive environment.

IDC research shows that the vast majority of companies have yet to establish security capabilities and maturity at advanced levels, while only a small percentage have already integrated the risk management approach into their business management protocols.

Having an effective and mature security program in place is a precursor for creating healthy and innovative organisations in the emerging digital era. For IT executives in world-class enterprises, knowing their security maturity level is essential for understanding what their current security programs are capable of delivering and gaining a clear picture of what maturity level is required to achieve key business objectives.

Engaging in benchmarking practices also helps organisations to identify the next steps they must undertake to close any maturity gap that may exist.

As business and IT leaders increasingly embrace the opportunities brought about by digital transformation, they are also facing up to the pressing challenge of technology-related risk management, especially as it relates to protecting against intelligent adversaries.

It is clear that security has become a key issue for CIOs in recent years, and many large organisations have started to implement well-defined plans and put committed budgets in place to strengthen their security programs. However, the plethora of technology choices, the range of security technology and risk management skills, and the amount of hype are all making it difficult for many organisations to prioritise resource allocations toward their security initiatives and coordinate all the moving parts to successfully implement a cohesive security strategy.

So, organisations must employ a more proactive and predictive approach to meeting their security objectives in this challenging new digital world.

The columnist is group vice-president and regional managing director for the Middle East, Africa and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC) He can be contacted via Twitter @JyotiIDC.