What does it take to lead a paradigm shift in how IT security is perceived? That’s the question we were left asking ourselves after a recent exploration of our organisational purpose.
The exercise revealed a tension at the heart of our industry: Businesses think IT security is important, but they believe it comes at the expense of business agility.
We know better. And as a security professional, I suspect you do, too. But how do we change the current thinking and elevate the role of security – and you – from blocker to key business partner?
Leading a paradigm shift
Change starts from within. That’s why our first step was to unpack our purpose into something we could live and practice. To get there, we reflected on the findings of the exercise. They validated a truth we’ve repeatedly observed in our 20+ years of leading security projects for our clients: The most successful outcomes are achieved when security is aligned with strategic business goals and supported by an engaged workforce. In other words, initiatives succeed, and the perception of security begins to evolve, by focusing on three key areas – People, Protection, and Performance.
IT security is complicated, but People, Protection, Performance offer a simple structure for how we approach it – one that can be shared by our team and delivered to clients regardless of size, sector, or location.
People
Security is everyone’s responsibility. As a professional in our industry, you know that better than anyone. Why then do so many organisations and systems integrators neglect the ‘People’ aspects of security initiatives?
While we see a lot of focus dedicated to the concept of ‘the Human Firewall,’ our purpose challenges us to look at the bigger picture and account for the organisational changes necessary to elevate security and controls as drivers of growth. Educating, equipping, and empowering our clients, key business stakeholders, and their broader workforce is key. From supporting the development of a business case to providing tools and training, Turnkey puts ‘People’ at the heart of every project.
Turnkey’s EMEA Sales Director, Cavan Arrowsmith, summed it up brilliantly in an article for IntelligentCXO. As he said, “…technology being viewed as technology…misses the crucial point that this technology is used by people – and those people need to feel invested in deploying [and adopting] the new systems if they are to be truly valuable and meet the goals of the project.”
Protection
Protection refers to the more traditional aspects of IT security. The application of technology to protect our clients’ IT assets and manage IT security threats is more critical than ever. That’s why we champion a security-first approach to IT initiatives, especially large transformation projects like moving to SAP S/4HANA. It's also why we employ the leading experts in SAP Security, GRC, and Identity and Access Management.
Turnkey has long believed that the technical skills required to get these solutions right are essential to any successful project. We see this play out every day with our clients. From advising on the optimal tooling for their business needs, taking technology off the shelf and making it sing, or rescuing implementations gone wrong because the hired SI lacked the necessary skills, the importance of expertise in protecting your enterprise can’t be overstated. Expertise ensures a project goes smoothly, brings value to your business, and helps positively influence how security is perceived.
For Turnkey, that expertise also includes linking security initiatives to business strategy. Enter ‘Performance.’
Performance
The final component to our approach is ‘Performance.’ You’ll recall the fundamental tension revealed in our purpose exercise – the perception that IT security inhibits growth; an important but necessary evil, implemented and enforced at the expense of business agility.
It’s easy to see why people think this way. Describing all the bad things that might happen if we don’t undertake a security initiative is often the default approach to building a business case. This perpetuates the myth that security and business growth are in contention and must be traded off against each other.
Changing how security is perceived starts with lateral and considered thinking about broader business objectives. How can security work in service of those goals? How does a security initiative make other pursuits possible? In exploring these questions, the positive impact of security on business goals and strategy can be brought to the fore. The impact is twofold. The business case resonates more with the executive leadership and a wider stakeholder community is also bought in to the security agenda.
Introducing Digital Enterprise Resilience
To articulate the benefit of our approach to clients we decided to define the bringing together of people, protection and performance as “Digital Enterprise Resilience” and have some fun with this by giving our new term a dictionary definition...
Digital Enterprise Resilience
noun
Definition:
The capacity of an organization to withstand disruption and achieve business growth through the implementation of robust security and controls that are aligned with strategic goals and supported by an engaged workforce.
Digital Enterprise Resilience is achieved when risk and security initiatives are right-sized, aligned to broader business objectives, and supported by a security-engaged workforce. In short, Digital Enterprise Resilience is made possible by bringing together people, protection, and performance.
When companies achieve Digital Enterprise Resilience, they reposition the security function as a business partner. I have likened this shift to the changes we have seen in Finance and HR teams over the past 20 years. These teams have adopted a business partnering model, and, as a result, they are now seen as fundamental contributors to the success of any major initiative within an organisation.
The coming together of People, Protection, and Performance makes the goal of Digital Enterprise Resilience possible. It offers a future where risk and security professionals are seen as genuine partners to the business. That is the paradigm shift we’re leading for our industry, and I look forward to sharing more on how we make it happen.
