How to go from dinosaur to eagle - or risk being the CISO that got hit by the comet

Security leaders must make the leap from internally focused IT to externally focused BT. Here are some tips to get started.

A very strange and sudden thing happened 66 million years ago. A comet crashing into the Mexican Yucatan peninsula near Chicxulub put an end to the long reign of the dinosaurs. But not so fast. We now know that some of those dinosaurs survived the massive Cretaceous-Tertiary extinction event: the smaller, faster, feathered and headed-toward-warm-blooded early ancestors of our eagles and hawks.

What can we as security and risk professionals learn from those early ancestors of today's great raptors (and other birds) to make the leap required to survive the massive extinction event the business world is undergoing: the age of the customer?

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read More

Why now?

In the age of the customer, any part of your business that does not directly drive revenue and growth is ripe for disruption. If you cannot explain clearly and succinctly to your leadership why information security is more than just another cost center, why it must become an integral part of what makes your brand trusted by your customers, then you will face either sudden extinction or death by a thousand slow budget cuts.

Sure, speaking the language of fear may get you short-term attention but very soon you will be asked to prove that all the capital invested in shiny new security technology actually was well spent. Learning now how to make the leap from an internally-focused Information Technology mindset to an externally-focused Business Technology mindset is the only way to thrive in this new environment.

How to make the leap

Let's get started with three things that we can do today to plant the seeds not only for our survival but for our ability to thrive in the age of the customer:

What to focus on

In our consulting engagements, our clients are are voicing their customer-facing security and risk challenges with a refreshing sense of urgency.This tells me that forward thinking security leaders are taking seriously the importance of the outside-in perspective to the success of their businesses. Three areas that we are hearing about a lot these days are federated identity, brand resilience and business-centered metrics:

  • Addressing customer-facing identity issues. A company that provides technical information to over 500k customers from both educational institutions and private industry needed a clear strategy for addressing the lack of a standard identity and authentication method across a large number of product sites and applications. Navigating the rapidly evolving landscape of protocols and standards for federation, non-intrusive authentication and the elimination of passwords was a critical first step. Defining clear architectural principles, frameworks and solution models then became a gateway for increased efficiency. The results of this strategic and architectural work will drive customer retention for years to come.
  • Supporting brand through well-planned crisis management.Clients are asking us to provide detailed guidance on the external facing component of breach incident response. Financial institutions in particular are recognizing that even the most mature and sophisticated security operations team may one day be faced with a breach of customer or employee data that requires a well thought out and timely series of communications. Bringing all the stakeholders together from legal to corporate communications and documenting the steps to be taken in a crisis can make a difference when it comes to how your customers react to the news of the breach.
  • Producing metrics that matter to executive decision makers. Government agencies in particular have been coming to us lately looking for a way to structure their security program reporting metrics. While there is no one-size-fits-all approach there are some key steps we recommend.

Watch this space for more posts from Forrester consultants on how our clients are making a shift to a customer obsessed business technology agenda.