In myprevious blogs I’ve looked at two of the myths that prevent organizations moving to an application-centric approach to security policy management. Lack of maturity and requiring too much resources are two of the issues that we generally hear as reasons for not moving to a model that enables a business to become more agile and more secure. In this final post I’m going tackle the third most common misconception: business leaders aren’t interested. Business leaders aren’t interested
IT security often believe that business managers may not be interested in an application-centric approach, as the effort to get there appears to be too much, when there is so much else to do.
The key here is how to frame the issue to the business. If the business isn’t interested, the value proposition hasn’t been framed properly. It should be structured, above all, around business enablement, and the IT security team needs to see itself and be perceived as a trusted advisor to the rest of the business by ‘translating’ its own jargon into concrete business benefits: How will security help get business applications to market more quickly? Will it drive business productivity? Will it help avoid outages that slow down the business and impact its reputation? Will this new approach allow the IT to focus on more business and strategic initiatives? And above all, how will an application-centric approach to security policy management reduce risk for the business as a whole?Using the right language for boardroom support
So how should Security put forward the case for an application-centric approach to security?
If the Security team is presenting Security issues to the Board and in terms of IP addresses and other networking parameters, the chances of securing buy-in are slim.
Instead, IT teams should be talking about security in terms of how an application-centric approach will enable the business’ leadership team to understand which applications are working, which require connectivity changes to function properly and, most importantly, which are introducing risk to the network. This speaks to the board and share holders’- top concerns of cyber risks and business agility, which makes far more sense and offers a clear value proposition with an opportunity to demonstrate the return on investment of the new approach. This in turn also helps to give Security a more prominent voice at board level.
By framing the approach in this way, it becomes apparent that an application-centric approach to security policy management will help drive the business rather than hinder it. As such the project will secure C-Level support while also positioning the security teams as valuable strategic voices within the business.
The end game of taking an application-centric approach to security management is a more secure, more agile business, with a real security policy management ROI. Don’t miss out on driving your business because of a few misconceptions.