Over the years, we have seen company owners struggle with Cybersecurity. Mainly caused by the community itself, by using complex words, lots of jargon, and abbreviations, nobody had heard of.
We decided to give this another approach. In 2008, we developed a simple method to engage all parties in Cybersecurity with the analogy of the “financial function”, putting your “high valuable assets” at the core.
Every organization needs to manage money, which is even more true for companies making money with IT. We observe many similarities between security and the “financial function” and that, ultimately, the financial officer wants to ensure his financial figures. The (chief) security officer wants to manage all risks and digital assurance at all time. We applied this methodology to 250+ organizations and made it into a book.
A lot changed but the methodology is even more so relevant that this article intends to make a more detailed comparison.
For fourteen years we have worked on easy-to-use technologies to support the security “function”, not as a one-person-function but as an organizational function; by providing an easy-to-understand method and tool.
We had to make a tool for all actors in an organization: line managers, product owners, privacy specialists, legal, compliance, finance, operations, etc. This can only be done by making a workflow simpler than anything else in the market.
Whilst not easy to synthesize decades of experience, we focused simplifying doing the right things right. How?
Well, I hear you think, does this tool help me with all my nasty bureaucracy of legislation? Yes it is all true, Anove helps with simplifying the bureaucracy of legislation and compliance, creates one-source-of truth similar like the CFO’s financial system. But do I still need a security officer to manage and monitor all this? You might want to reconsider that.
We see many organizations making the mistake of hiring an expensive security officer on their payroll that usually introduces more rule-based compliance, jargon complexity and red-tape bureaucracy. In most cases, the security officer orients on the processes or the technology, rarely on understanding business, the goals, and the return on investments in security.
The majority of the current security technology remains underutilized. Meaning, you paid for technology but it is not used to its full capability. And only in 50% of the cases a business cases for security investments is made, meaning the other half is invested without proper justification -from the security officer-. [1]
In an earlier blog “Which of these 4 CISO archetypes do you deserve?” we defined the types of (chief) security officers. We believe that in most industries, companies from 5 to 50 full-time employees using a central repository technology like Anove to maintain visibility and oversight could make use of a part-time security officer for 1 day a week.
This security officer could then have a focus on the most significant risks, and explaining the ins and outs of the broad investments the company should make to mitigate the main risks to the highest valuable assets.
The security officer should not compensate for what other departments should do. For example, training, awareness, etc, should be with HR, but most of the time remains at the security officer. Or KPIs with the outsourced operations centres (SOC) could be with procurement, not the security officer.
Security is all about doing the right things and doing them right. Don’t get us wrong here, you never outsource your accountability, you simply outsource the responsibility by fully understanding your accountability and not remaining in the dark. Anove helps in assuring visibility on risks to assets, owners and actions to remain in control. For any Tech CEO.
Companies that scale from 50-100 fte can easily use a part-time security officer for 2 days a week. Thereby drastically decreasing the cost of the security function and bringing the focus more towards investment utilization.
In other words, what existing technology can we use better and smarter to gain more “bang for our buck”? Any security officer nowadays should be able to quantify the risk in euros and calculate the best security investment (we refer to return on security investments ROSI calculation) and capture that in tools like Anove to provide a holistic portfolio of investments and also, keep an audit trail to see if certain investment returns pay out, and in the end contribute in achieving business goals.
Security is like remaining physically fit. If you only talk about it, nothing happens, you must be disciplined to make it work. Generic fit programs only work for some, you need to tailor them to your goals. Security is not only about technical measures like: encryption, and multi factors but mainly about understanding the organizational needs and goals and how you can make even more speed without losing your complaint status.
Over the past decades, we simplified our technology from all fuzzy features since we believe simplicity is critical in this profession. We also heavily invested in a network of business and tech-savvy security officers [2] who support companies in doing the right things right and reason from an investment perspective what works best to stay safe and be compliant around the globe. We named them (C)ISO twins since they stand next to your company to support and challenge.
This is what we do, leveraging on already present capabilities and focusing on strictly following up on what works for you (and your company). So before considering investing in security really think about what you deserve.