Fifteen years ago, when security professionals talked about state-sponsored cyber-attacks targeting businesses, they’d be dismissed as fearmongering or detached from reality. Today, those same threats make daily headline news, and recent high-profile breaches such as those at North Face, Cartier, and Marks & Spencer have banished any remaining skepticism.
As a security industry, we’ve fought hard to win the awareness battle. But now that it’s won, we must evolve how we lead.
Imagine an IT security business calling up the likes of Adidas and pitching with "we can stop the bad things happening to you." Their voice would be drowned in a sea of hundreds saying the same.
The same applies to security teams advocating for budget internally. It's time to move away from expounding on well-known threats and towards offering practical solutions. the question now is no longer whether businesses need security – it's how to achieve protection effectively.
From security sheriff to strategic partner
Think about leadership styles. When you're in a position of authority, you can either dictate orders or lead through engagement, explaining how your work enables others' goals. The security industry has earned its authority – now we must evolve our approach.
I’ve seen this evolution playing out differently across our clients. Some security functions remain effective in the traditional 'guardian' role but hit a ceiling in strategic influence. Others embrace the business partner approach, engaging with their wider organization, aligning with business performance goals, and achieving far greater stakeholder engagement and results.
Making this shift requires moving beyond flawed business cases built purely on fear.
Take GDPR fines, for example. Businesses can be fined up to 4% of their annual revenue for a breach. Yet the chances of the maximum penalty being applied are relatively small. Why then, when given the precious opportunity to influence a senior leader, would you center your business case around such a risk?
Focusing on these types of risks erodes both the strength of the business case and your credibility, leading to missed opportunities for vital engagement and buy-in. To become a strategic partner, we must instead strive to showcase the value an initiative will deliver to the business rather than the penalties or consequences it may offset.
Integrating cybersecurity protection
Protection remains the bedrock of security – the foundation underpinning everything we're trying to achieve. But protection alone won't deliver the outcomes you, and your business, need.
Most headline breaches result from social engineering attacks that exploit people in the loop: password failures, phishing successes, human error. You can't protect assets without engaging people to take responsibility. And you can't secure leadership support without demonstrating performance value.
Protection is as important as ever, but you achieve it through integration, not isolation.
So, what does optimal protection look like? Not all that different from what you’d expect, to be honest. It should encompass Zero Trust implementation, Segregation of Duties (SoD), good management of IT controls and risk, automating controls to strengthen and streamline processes, efficient deployment of security solutions, and a strong focus on compliance. The difference is in how we deliver on the value of these practices, accounting for organizational and governance impacts, connecting to business performance, and engaging stakeholders across the organization.
In our experience, making good use of technology and automation – and ensuring they are deployed and configured to the specific demands of the business – can make a real, demonstrable difference. Consider how password length monitoring was traditionally managed prior to automation – manual audit checks every three to six months that only detect changes retrospectively. Automation of these controls allows monitoring to be conducted daily or even hourly, which vastly shrinks the window of vulnerability and shifts a detective control to be almost preventive. Of course, this aids protection. But it also contributes positively to business performance by freeing up audit staff for other value-adding tasks.
The effective deployment of technology can be a solid foundation to protect your organization’s assets. But technology alone is not enough. Sustainably protecting your enterprise – and achieving an ROI on your initiatives – depends on people understanding and committing to their role in security initiatives. This exemplifies Turnkey’s approach: maintaining solid technical skills to deploy solutions specifically and intentionally, in alignment with each unique organization’s people and performance objectives.
In summary: Leading tomorrow’s security
Given that as much as 80% of security work still lives in the traditional protection space, it will always be critical. Yet, it’s only in linking security with people and performance that we truly unlock our effectiveness. This must be our focus.
The key is demonstrating business partnership and leadership rather than just authority. Get it right, and both security outcomes and stakeholder relationships will improve simultaneously.
Want to learn more about building a security strategy that blends people, protection and performance? Get in touch with the Turnkey team today.
