If you’ve been following the high-performance IT blog series, and you’re thinking to yourself, “Makes sense, but where does security fit in?” — you’ve come to the right place. High-performance IT emphasizes trust as one of its three guiding principles, which means that the CISO needs a seat at the table from the beginning. Security breaches and privacy lapses are prime causes of trust erosion — so CISOs play a critical role in building and maintaining a trusted business.
As a quick refresher, Forrester defines high-performance IT as the pursuit of continuously improving business results through technology. High-performance IT recognizes that there’s no one-size-fit-all strategy — an organization’s IT strategy must be aligned to its business goals. To that end, each organization’s high-performance IT strategy centers on one of four styles: enabling (focused on stabilizing, operating, and protecting the business), co-creating (focused on delivering new products to drive growth), amplifying (focused on optimizing outcomes at higher scale), and transforming (focused on using emerging technologies to accelerate business results).
Security leaders must properly prioritize a slew of security, privacy, and resilience activities to be in lockstep with the organization’s technology strategy. Just as CIOs distribute their focus among the four high-performance IT styles to align with business goals, CISOs must align their focus areas with business goals and with IT’s choices. As with IT, security will always have ongoing operational investments, but when considering net new investments that will support IT’s drive towards speed and scale, security leaders must:
- Begin with Zero Trust to deliver the enabling style. IT organizations rely on IT capabilities in the enabling style to stabilize, operate, and promote the business. Capabilities like resilient multicloud infrastructure, industry ecosystems, Zero Trust security, compliance, employee experience, and sustainability are essential. For the CISO, that means emphasizing the core elements of Zero Trust intermediate maturity, such as data discovery, data classification, and identity management.
- Secure what you sell to align with the cocreating style. Firms invest in IT capabilities in the cocreating style to develop, deliver, and operate new products and platforms. Technology leaders will collaborate with the business to build skills to scale product development. They’ll also look externally and leverage technology partnerships to scale capacity and acquire expertise. Security leaders at organizations that focus on cocreating capabilities must level up their security programs and extend their Zero Trust initiatives into the application and product security domain. Sample initiatives include securing the modern application architectures that are core to your new products and protecting your software supply chain.
- Automate and scale security in lockstep with the amplifying style. IT organizations that invest in IT capabilities in the amplifying style are looking to extract more value from their existing data and software. Advances in automation, AI, and analytics comprise a powerful toolkit to optimize business outcomes, like sales and customer experience, and technology outcomes, like efficient operations. Automation is the watchword for technology organizations adopting amplifying capabilities — security teams must follow suit and automate security processes so they can focus on work that’s more strategic than keeping the spreadsheets up to date. For example, if IT’s investment in amplifying capabilities includes more automation in the CI/CD pipeline, security leaders will need to automate pre-release security testing so as not to block development’s desired delivery cadence.
- Adopt emerging tech in the security domain to deliver the transforming style. Emerging technologies present new opportunities to create new market value and new business models. Technology teams that invest in IT capabilities in the transforming style look at how emerging tech can drive business goals — these teams stay relevant to the business by taking a thoughtful pipeline approach to considering, testing, piloting, and deploying new technologies in the right situations. Security teams must mirror this with an equally thoughtful approach to emerging security technologies like post-quantum cryptography, generative AI, and privacy-preserving technology.
CIOs: Share your high-performance IT strategy with the CISO so that they can align their focus with yours. CISOs: Reach out to your CIO counterpart to understand their high-performance IT focus areas, and use that to structure your security investments accordingly.
Want To Learn More?
Forrester clients can join us for a webinar on March 5th at 11 am EST, check out our new report, High-Performance IT: Security, Privacy, And Resilience, and set up an inquiry or guidance session to learn more.