Security has historically been regarded as more of an insurance policy than a business enabler.
This is natural. There’s little doubt that an organization that has been hacked will be unable to continue to deliver stakeholder value if it doesn’t resolve the attack.
However, this can be too narrow a perspective because it pigeonholes security as a cost overhead on the business. There’s an inherent additional risk in this. Companies might question the need for security if they haven’t been attacked, lost data, or had their operations hacked yet.
In my discussions with businesses, investors and partners, I’ve found it’s more important to focus on where security can play a part in the context of the value a company seeks to create for its own customers.
For me, security is like breathing. It’s so important and fundamental – but it’s necessarily not what actually makes life enjoyable and fulfilling. Like breathing, security is about what it allows an organization to do.
Security and strategy: The best place to start
Security needs to be aligned with business strategy. This centers on what the organization seeks to achieve with its business, its customers, and the wider ecosystem of suppliers, partners and, for some, regulatory frameworks.
The challenge is that from the security perspective, organizations can’t know in advance whether an attack is likely, where an attack might originate, or the impact such an attack might have. As a result, security has traditionally been regarded as a means of protecting the organization.
And if security is not embedded into strategy, it will constrain an organization. If the business wants to move further online, but can’t because of weak security, or a lack of understanding of what security “means”, they will wait – and be potentially overtaken by competitors.
Security doesn’t stop at design: Lenovo has unique control over its global supply chain, setting strict security standards and policies for its manufacturing facilities through ThinkShield by Lenovo as it secures devices through the entire lifecycle.
Lenovo’s strategic partnership with Intel® has enabled Lenovo to align with the Intel Transparent Supply Chain, which allows customers to locate the source of each component of their new system. For devices with the Intel® vPro® platform, Trusted Device Setup seals software at the point of manufacturing, enabling companies to ship boot-ready devices directly to employees.
Intel is leading the industry in hardware supply chain assurance with Transparent Supply Chain – a set of tools, policies, and procedures implemented on the factory floor at PC and server manufacturers that help enable enterprises to verify the authenticity and firmware version of systems and their components.
Once devices reach the end of their lifecycle, Lenovo keeps potentially sensitive data secure by wiping the drives and securely recycling the parts. Lenovo offers a paid Keep Your Drive service that ensures sensitive information never leaves customers’ hands.
Defining security ROI: Difficult, but essential
This means we now need to discuss and consider security through the lens of return on investment (ROI). This is difficult, because the cost of security solutions is often regarded as a sunk cost. If you aren’t attacked, there’s no return. Measuring ROI for a security solution is challenging for this reason.
Making it less so starts with the move away from the “insurance policy” thinking towards assigning a return to stakeholders for being secure. The fundamental step to take is to work out where the real risks lie. Even small or medium-sized companies today have dispersed employees, large amounts of data, and transactions taking place over the cloud. The larger the corporation, the larger all of these become, and the larger the implicit risk becomes.
The adage of trying to eat an elephant comes to mind. You can’t. Organizations continue to be overwhelmed by the enormity of the challenge. This means being clear about the assets – the data, processes, critical systems – needed to keep things operational and growing. And this is not to dismiss all the other aspects of an organization – customer data, personal data, HR systems, payroll, assets security – as being unimportant. They absolutely are.
Rather than attempting to embrace the entire “risk portfolio”, organizations need to go back to their organizational strategy, and determine where the company’s value actually lies. For a pharmaceutical business, for example, it will be the IP of its drugs, its relationship with government regulators, the scientific community and the company’s shareholders. For a pipeline operation, it’s the ability to move fuel to outlets and be able to charge for the fuel.
It’s simply no longer feasible to be 100 per cent secure, certainly completely risk-free, across an entire organization.
Taking the strategic business approach allows companies to manage the challenge, and to deploy security where it can best support the business and deliver the best ROI. That’s a different approach, one that goes beyond simply moving from having 15 top priorities, which is unmanageable, to one or two.
An example of this is mobile banking. The way we all interact with our banks has changed completely over the past five years or so. I’ve not been in a bank branch for years. And I think banks around the world have done a phenomenal job of prioritizing the security aspects of building a viable mobile banking infrastructure that allows all of us as customers to enjoy very flexible banking services. This success has been built on a number of things, defined by the priorities they had: Organic investment, and the acquisition of expertise and technology. Banks today are tech companies. They introduced strong authentication using biometrics, and financial institutions were the first ones to roll that out. And as a result, the DNA in their thinking also changed.
In examples like this, the ROI in security becomes apparent. Helping IP or supply chains remain safe and secure means that the organization can continue to operate smoothly. Knowing where to assign the correct access privileges and secure access points become easier and more accountable. They are now aligned to the business strategy, and manageable in number.
Compelling discussion, better decisions, safer organizations
Yet there still seems to be uncertainty among board members and business decision-makers towards how and where security plays. According to McKinsey research, while boards have security as a top-four priority, only 20 per cent declare cybersecurity as a major challenge, which seems contradictory.
Changing the focus from buying technology to defining a return on security investment creates a compelling discussion for decision-makers. It’s the difference between saying an organization has a data center of servers that need to be made secure vs understanding that it has critical information about customers that needs appropriate safeguards so that the organization can continue to operate with its reputation intact. That, I think, becomes a different type of conversation about business commitments and benefits, as opposed to whether the building is on fire.
As we enter the new hybrid work era and greater security risks, organizations need to work out their security posture that’s aligned to their business strategy. Security then moves from the realm of sunk-cost IT solutions to business enablement. That’s when decision-makers understand the decisions they have made, the levels of risk they are prepared to take on, and do so without unduly constraining their organizations. The balance then tips away from security as a sunk-cost IT solution, to an enabler of business value.
By Nima Baiati, Executive Director & General Manager, Commercial Cybersecurity Solutions, Intelligent Devices Group, Lenovo