The way security practitioners must operate in today's digitally-focused, consumer-driven environment has fundamentally changed.
CISOs' historical charter has been to keep the network secure and safeguard data. Today, the way organizations create value has evolved -- 88 percent of the S&P 500's market value is now derived from “intangible” assets, and a dramatic change in where technology and business risk overlap has occurred. Technologists can no longer focus on risk in isolation from business growth and risk factors.
What makes this even more challenging than it sounds is the technology, which ultimately must be prioritized in today's modern business, doesn't live inside the walls or inside the networks of our organizations. The data isn't owned by the company tasked with securing it. The rapid adoption (and domination) of social media networks for marketing, sales, recruiting, HR, collaboration and other key functions of the business has created an external risk surface that outpaces internal security vulnerabilities (in terms of impact and cost when “breached” -- more on that later). Even when we look at a traditional data breach, the impact to the reputation of a business bears the greatest cost; note a study by Deloitte: only 6 percent of the cost of a breach is now tied to operational or IR costs. The rest is linked to reputation-related damage -- a radical paradigm shift for old school security hardliners.
Welcome to the Social Media Revolution
The way every human on earth communicates and engages has fundamentally changed. This isn't hyperbole; 3 out of every 4 living humans has an active social media profile, spending on average one-third of their online lives liking and posting on social media (that's three hours per day). Social media hasn't just impacted where we spend our time online though, it's changed the shape of global commerce too. In 2015, Facebook drove over 52 percent of online and offline purchases and 81 percent of social media users said their friend's posts influence their purchase decisions.
With all this said, social media isn't just a personal communication tool and an e-commerce lead machine, it's a fundamental business platform. Think about how impactful social media is to a business. We all understand the marketing use cases for social media, but what about its integration with other parts of the modern-day business?
HR and recruiting teams rely on the power and reach of social media to attract and retain top talent. In fact, 84 percent of organizations report using social media as a primary recruiting tool.
If you want to get an issue resolved with an organization, you could call their 1-800 number or send an email into an abyss…or you can send a public social media post to the brand's corporate account on Facebook, Twitter or Instagram. More than 70 percent of customers report using social media to get issue resolution and almost half prefer social media support to traditional channels.
It's fair to say that social media is truly the “modern” business platform. If you look at the organizations that have invested heavily in social, you'll find they outperform the S&P 500 by over 40 percent, according to Millward Brown.
So What Does This All Mean for the Modern CISO?
Defending the way a business operates, competes and grows has always been a CISO's job, but now security professionals must adapt their thinking to the social media and digital revolution that has taken place. In today's hyper consumer-driven world, the social reputation of an organization is at the heart of winning new customers and keeping old ones. Business value is tied to perception rather than tangible assets (and even elections can be won or lost on social media networks).
The first step to adaptation is to understand how the business grows; the CISO needs to be included on go-to-market conversations and sales & marketing discussions. She must truly understand business value in order to prioritize business protection.
The second step is to understand the inventory of external technologies in use. This is not shadow IT or cloud security, it's social media & digital security.
Once the CISO understands where the business value is created, what platforms and technologies exist to execute on that value creation, she needs to learn what external factors could cause damage to the business. This is often the hardest part because there isn't a good blueprint. Learning the methods of business risk evaluation is key to the CISO's effectiveness at this third and crucial step in the process. There are some basic financial market driven exercises that can be deployed for public companies, but for private organizations, it becomes even more critical to understand the business and stay aligned with growth (and negative events).
Now that the CISO has a foundation for social media and digital risk exposure, beginning to address these risks follows a familiar process. Operationalizing tools, procedures and people, building and training a team and monitoring for and protecting against risk events. The big difference is that we are focusing on a very nuanced set of risk events, different types of technology platforms and very different types of operational models. The damage isn't always direct (like a data breach) but as we have explored, damage to the business reputation is ultimately a threat to the operational integrity of the business.
Social media is truly the wild west of information security. We need modern CISOs to step up, empower their business online and regain control over their social media and digital risk exposure.