Businesses have wanted to go digital for a long time but struggled to find what that end state looks like, said Aman Raheja, CISO at BMO Financial Group, speaking this week at the Gartner Security and Risk Management Summit at National Harbor, Maryland. Though companies are serious about "digitization," which has the potential to help revenue generation, the "goalpost keeps shifting."
The same business pressures pushing for bottom line growth are influencing the security organization as well. As a result, two years ago BMO instituted a security strategy, referred to as BICT, centered around business value, industry benchmarking, compliance and threat management, according to Raheja.
Security projects from BICT contribute to overall business performance and assess the company's security maturity compared to its peers. The financial organization also closely follows internal standards and those set by regulators. Securing data and people is "the core of what we do," said Raheja.
With a BICT model, the security onus shifts toward prevention, not reactionary measures.
BMO is boosting the value of its security organization at a time when more businesses are asking infosec to prove their worth. It's a stark contrast to security leaders ringing the alarm about one threat or another. Instead, teams can collaborate with lines of businesses to make technology easier to use and more secure.
BMO is working to eliminate passwords, which is a useful user experience with an underlying security benefit, Raheja said. With password alternatives, users won't have to write them down, which increases security and saves time for support teams tasked with resetting account credentials.
Revamping BMO's approach to passwords has a business case with the promise of quick ROI. The company has already done the math; now it needs the right solution, Raheja said.
With resource constraints, the security organization cannot get to every project at once, so Raheja ranks the priorities. It creates a phased approach to security, which BMO repeats every six to 12 months to ensure the previous priorities still stand.
The upgrade process has its drawbacks: It's hard to be strategic if a company is saddled with technology it doesn't want, said John Girard, distinguished VP analyst at Gartner, speaking at the symposium. Strategic security investments are mired in old systems.
System "bloat" also leaves teams invested in orders solutions nested in their workflow, Girard said.
Change is often resisted when it comes to technology, but organizations need to simplify their security stack to make it more effective. But, Girard said, security leaders have to ask themselves, "are you investing in security or are you a consumer?"
When security teams buy a product, they should also plan its retirement cycle, Girard said. Groups can put criteria in place for when something becomes obsolete.