Commissioned by RSA, an IDC survey of nearly 200 top business executives and security professionals showed that the majority of organizations believe creating an environment ideal for innovation is critical to staying ahead of the competition. However, survey respondents revealed that in spite of their best intentions, IT security risk is impeding business innovation. In fact, 80 percent of those surveyed, admitted that their organizations have backed away from new innovation opportunities because of information security concerns.
IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals.
While the need to link IT security strategies directly to business goals is a widely-recognized imperative, only 21 percent of respondents believe their organizations have successfully made the transition to an approach that is proactive and business-aligned, and enables rather than impedes innovation.
RSA also today released the latest report from the Security for Business Innovation Council, which is comprised of 10 of the top minds in information security from some of the largest companies in the world. This report explores why legacy methods of evaluating information security risk don’t work in today’s connected world, in which any new business innovation inherently carries some level of risk to information.
In this landscape, the security focus must move from solely mitigating risk to also maximizing business reward. Based on the collective best practices of these leading security executives, the report offers a blueprint for making risk/reward calculations that help drive business value, and ensure they are executed and governed for enterprise success.
As a critical starting point, the Council report recommends some key shifts in organizational thinking and behavior including:
1. Move the security team’s focus from “Information Security” to “Information Risk Management” to signal that the goal is to achieve an acceptable level of risk;
2. Use a cross-organizational approach to understand and formalize the enterprise’s risk appetite;
3. Build a risk assumption model to delineate where and with whom risk decision responsibilities lie; and
4. Create a repeatable, step by step process, for making risk/reward calculations for new business initiatives and ensure it is rolled out across the organization.