Today, many organizations look at information security and governance as a baker would icing on a cake. Something you apply at the very end, mostly to make it look better and add a bit of flavor. It isn’t a structural component or key ingredient, its simply there to cover up the raw product. As can be expected, icing cannot save a cake that’s missing key ingredients like sugar, or eggs. Likewise, if a business doesn’t integrate security into operations from the beginning there is only so much that can be done to implement necessary controls.
Using this approach, organizations only achieve a thin veneer of security, lacking the protection provided by a more layered approach. There is only so much security that can be added after the fact. Thankfully this is not the only approach available. Organizations must be cognizant of all available strategic opportunities if they hope to be successful. With careful planning and understanding security can become not only more effective, but also more supportive. This is where strategy comes into play.
In a perfect world, as businesses develop their business strategy cybersecurity would be included and layered throughout from the start. This would provide the most robust, effective, and easily integrated security program, and one that actually complemented both the business and its long-term goals.