At the convergence of digital transformation, an industry-wide focus on SASE, and the effects of the continuing COVID-19 pandemic, there are key forces that security practitioners need to be aware of and operate within. This is the second blog in a series of three detailing these forces and how security leaders and practitioners can adapt to them in a digitally transforming, SASE-enabled world. This blog covers the forces of Organizational Culture and Adversaries and Threats.
Force 3: Organizational Culture
Organizational culture can have a significant impact on the security program. A shift in executive leadership or board often changes the organization’s risk appetite and priority of the security program. Most boards are now requiring a minimum report to the full board and quarterly report to the audit subcommittee of the board.
Impact of the Pandemic
The most significant change we have seen in changing organizational cultures is the rise of the remote worker amid the COVID-19 pandemic. Whilst traditional organizations prefer to see people in the office and collaborate face-to-face, the goal for most employees is to be flexible in their working environment. Pandemic planning aside, most workers will choose their employer and ask questions at the interview stage on this flexibility to ensure they have the best work-life balance. In addition, the next-generation workforce will demand this level of flexibility. With concerns over health, rising house prices, the increasing cost of affordable housing near workplaces, and the costs of travel assessed against salary, most workers will need this flexibility. As organizations reimagine their strategies, understanding their mobilization of the workforce will be critical. The mentality of work from anywhere, at any time, from any device, access any application, and share any information, is supportive of this cultural change. This shift away from the traditional office is evident in most industry sectors today.
Organizations Risk Appetite
With a flexible and innovative workforce, there also comes a shift in an organization’s risk appetite. So, how is that changing? Risk management was traditionally used to block high-risk activities and maintain alignment with company and security policy. It was a simple binary approach that most employees understood. However, as organizations become more complex in the offering of their goods and services through digital transformation that involves complex supply chains, these simple approaches no longer scale. New risks need to be identified based on behavior specifically on the most critical asset an organization has: its data. As more risk management programs become data-centric, so must their measurements on the likelihood and impact of these risks. Organizations today have become more open and willing to take new risks that, when managed appropriately, can increase their revenues.
Changes in Financial Policy
Chief Financial Officers are looking closely at the savings they can realize moving away from capital investments and moving to subscription-based contracts. Investment in technology is no longer a barrier with cloud services on a pay-as-you-innovate model. However, some industries such as critical national infrastructure (CNI) may still have a risk-averse culture and a more restrictive security strategy that is appropriate. Generally, this is where today’s CISO must be able to adjust to new technologies, new controls, more open policies that allow for a more open and collaborative culture to excel.