The benefit of a people-centric approach to business growth

Never underestimate people power...
7 March 2023

Focus on people as well as processes and echnology.

In Part 1 of this article, we sat down with Rob Robinson, Head of Telstra Purple, EMEA, a UK managed services provider, to dive into figures suggesting that 29% of technology sector businesses recognize the human factor as a key risk area in their cybersecurity resilience, while 75% believe that removing silos and encouraging a people-centric approach can reduce breaches.

We talked about an increasing need for businesses to inculcate a collaborative methodology into their models, so as to make security a native concept in everything they do.

While we had Rob in the chair, we asked him how putting people at the heart of the business model had been shown to help businesses not only cut costs but drive achievement of their bigger commercial goals.

A people-centric approach to profit.

THQ:

The research from Testra talks about “people-centric” businesses and the things they’re free to achieve, compared to businesses that focus solely on meeting profit guidelines. Is there an easy way to adopt that kind of people-centric approach? What does the approach actually look like, and how do companies ensure they have one?

RR:

Yeah, the further we go into the 21st century, the more critical a people-centric approach becomes. We’ve seen what happens – companies have been purely reliant on technology and processes and procedures to ensure the safety of their systems and the safety of their data. And sure, those are absolutely critical and important factors. But the thing that’s been under-invested in is absolutely that people element.

That under-investment can be seen as a point of vulnerability and a point of entry in terms of insider threat or external threat. And you can see that in action, because with some investment and a change in people culture and investment in that training and awareness, people can actually become an incredibly effective line of defense for you as an organization.

Whether that be reacting to an external threat and notifying people, knowing how to address a potential threat, or, if there is an insider threat issue or something like that, where perhaps some information has inadvertently gone somewhere, knowing, from a cultural perspective, it is better to inform someone and address that threat in a way that is proactive and constructive.

So, for me, just flipping the script, and adopting a people-centric approach as an effective line of defense is absolutely critical to organizations moving forward.

THQ:

It’s an interesting one to compare and contrast, because in this post-pandemic era, what we have are more and more businesses going hybrid and adjusting to the new culture of many staff not being based in the office – and yet, needing to be more people-centric, both in the office and at a distance.

If we’re going for a people-centric approach, does it need to be a different people-centric approach in a hybrid work culture than it would otherwise?

RR:

We’re starting to see a change in business’ operating models, and so the security operating model needs to flow with it. That means you need to look at and start with your business requirements, you need to look at the changing landscape in which organizations are working. We’ve got more disparate systems, we’ve got more connected devices than ever before, in the form of IoT, and operational technology, and sensor-based solutions and things like that.

So we’ve got a wider attack surface and a more complicated threat landscape than we’ve ever faced before. And the result of that is that you need to adopt a security operating model that is reflective of that, as well as your business goals and your business outcomes.

You’ve got to get that mix right: people; process; and technology. And it needs to be aligned to that future state operating model. If you are moving towards more of a digital construct, if you are looking at more hybrid working, if you are looking at automating some of your operational technology, and you need to look at the design and security principles within that.

You need to be making sure that you’ve got that right portfolio and that right mix of people, process, and technology to address it, instead of relying on perhaps a more dated operating model that was more appropriate when you were facing a more traditional office space working environment.

THQ:

Is there an overall prescription that you’d give to companies that want to raise their cybersecurity game based on the results of the Telstra survey?

RR:

Yeah, it would be to look at that operating model – people, process, technology – and apply it to the overall operating model of the business. I think we’ve seen many more chief information security officers joining the board proper, which reflects the idea that business is everywhere, so security should be too. If you’re building an operating model that is fundamentally shifting, ask yourself what you’re doing as an organization. Are you growing organically? Are you growing inorganically? Are you moving to a digital construct? Are you acquiring organizations globally? Are you enabling hybrid working?

All of these things are shifts in a business’ operating model to gain competitive advantage or to look at survival. If you’re doing all of those things, then the secret sauce is making sure that you are in conjunction and in collaboration, building a security operating model that is reflective of that future state.

If you don’t do that with a people-centric approach, and if you view security as an afterthought, you’re going to either leave yourself exposed to risk, you’re going to inherit effects that adversely affect your culture of growth, or you run the risk of stalling or siloing the projects and the engagements that you’re delivering, and therefore you’re not getting the most out of your transformation.

So I think that’s the key for me – making sure that you are developing a security operating model and that that security operating model is in line with what you’re trying to achieve and how you’re trying to transform as a business.

THQ:

Is the degree to which getting the C-suite to move on this dependent on getting more technologically and security-minded people up at that level, so that they can explain it to the financial people?

RR:

It’s definitely important that that security aspect is represented at that board level. Absolutely. And we’re seeing more and more of that within our client base, so that that is increasingly the case – that organizations are recognizing the importance of having that security visibility represented at board level, so it gets aligned to their business objectives.

The counterbalance to that from a culture and awareness point of view, though, is that CISOs are having to increasingly become conversant in business language, understanding the financial aspects of an organization’s growth and development. So there’s absolutely a bringing together of skillsets and capabilities at board level to make sure that everyone is talking the same language, and is working in the same direction to achieve those goals.

THQ:

Not just breaking down silos of data then, but silos of language, too – for a better, faster, information flow all round?

RR:

Yeah, absolutely. 

THQ:

What did you set out to achieve with the research – and do you think the results meet your initial research goals?

RR:

We commissioned the research really looking to understand that interlock between security, culture and transformation. And the results, which show a strong need for businesses to use collaborative approaches and a people-centric approach, to break down silos, and to develop a fundamental culture of security-consciousness, rather than running it as an on-top function, show us how those elements interlock – and give us a way forward to recommend to our clients. And to all businesses, really, because the results speak for themselves – collaboration and a security-everywhere mindset can help businesses meet their ongoing goals. 

THQ:

Sounds like a great pitch – have businesses been easily accepting it, or is there a fight to be had to get the message across?

Just thinking about this from exactly what you’ve just said, has there been any data of the degree to which that has been easily accepted? Or is there a fight to be had to sort of get it across?

RR:

That’s an interesting point, actually. We’ve certainly got some statistics in the research that show the ranking and the view of the importance of culture, versus technology, versus security. But we also have a Club CISO report that we generate every year, and as far as that’s concerned, we’ve got 10 years of, of survey findings, so we can see how that trends over time and across industry verticals.

So we’ve got some quite rich data there in terms of whether there’s still quite a lot of conflict or whether people are settling on a commonality of approach in terms of how to go forward with a data-rich, security-everywhere strategy and a people-centric approach to help grow their businesses.