Analysts Discuss the Nexus of the Culture Clash Security Leaders
Face during the Gartner Security and Risk Management Summit,
NATIONAL HARBOR, Md.--(BUSINESS WIRE)--Jun. 7, 2018--
While IT, and most businesses, have been focused on operational
excellence for the past 20-30 years,
"Today, the battle ground for the digital industrial revolution is the
customer experience," said
Everyone is a big digital consumer, and in this digital world, users
expect customization to all their preferences. For security leaders,
this means giving up some control, and it is resulting in the nexus of
the cultural clash. This clash is taking place when risk issues are
passed from the business department to the security department, with the
expectation that the security team will deal with the problem.
"We as security people want things to be controlled," said Mr. McMullen. "We want them stable, but people's expectations are being set by forces outside our control. Which means we (security leaders) need to change how we engage if we want to be successful. We have to give up control to gain influence."
Create an Effortless Experience
The experience that customers are looking for is an effortless experience. The analysts pointed out that effort, not satisfaction or net promoter score, is the best predictor of future buying behavior.
“Security should not wreck the customer experience, but it often does,” Mr. McMullen said. “Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”
Actually Speak to Executives About Things That Matter to Them.
“Organizations are slowing down because they fear this issue,” said
Mr. Proctor said it’s important for security leaders to talk to business leaders about what matter to them. Show them how their business outcomes are directly dependent on technology. He said security leaders need to engage with business executives over things those executives think are important.
Help Executives With Their Decisions Through Operationally Focused
Risk Assessments. To help business executives,
“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make,” Mr. Proctor said. “You are now helping them do their job.”
Create Defensibility for Your Executives. Executives do not directly control technology risk and security. However, when an organization gets hacked, the public wants executives to face consequences for the security breach.
“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand,” Mr. McMullen said. “So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility.”
Take Tech Out of Your Conversations. The ability of security
leaders to abstract out technology and put decisions in terms of
business outcomes is critical to their success in a modern risk-based
“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization,” Mr. Proctor said. “Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world.”
Move From Project to Product Management. Project management is something security leaders have always done. They prioritize and fund activities. For example, there are start times, execution gates, implementation, acceptance testing, integration, and deployments included in project management. There is a beginning and an end.
In product management, everything is continuous. Typically, it’s organized around a business process, and the IT requirements to support that business process. For example, in an insurance company, a product line could be underwriting, and in a risk and security context, underwriting needs access to control, perimeter protection, threat and vulnerability management, handling and treatment of sensitive data continuously. There is no end date.
“Doing these five things will improve executive experience, their perceived value, and result in a better, more appropriately protected organization,” Mr. Proctor said.
About Gartner Security & Risk Management Summit
Upcoming dates and locations for the Gartner Security & Risk Management Summit include:
Follow news and updates from the events on Twitter at #GartnerSEC.
Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries — across all major functions, in every industry and enterprise size.
To learn more about how we help decision makers fuel the future of business, visit www.gartner.com.
Tom McCall, + 1 408-709-8096
"Safe Harbor" Statement under the Private Securities Litigation Reform Act of 1995: Statements in this press release regarding Gartner's business which are not historical facts are "forward-looking statements" that involve risks and uncertainties. For a discussion of such risks and uncertainties, which could cause actual results to differ from those contained in the forward-looking statements, see "Risk Factors" in the Company's Annual Report or Form 10-K for the most recently ended fiscal year.