The Security Transformation Research Foundation has for objective to develop and communicate targeted research material that encourages and helps organisations make the improvements needed around Security, Business Protection, Risk and Controls so they can overcome current organisational, governance and cultural limitations and are better protected going forward


There are many organisations that do not have good Business Protection practices in place. This is not because Best Practices do not exist or are not widely recognised. Comprehensive control standards (e.g. the 27000 series) and practice standards (e.g. the ISF Standard of Good Practice) have been around for ten years at least and are widely known about. Practice maturity guidelines (such as CMMI, C2M2) also exist.

This disparity between current practice and Best Practice is not due to a lack of benefit from better levels of practice. Better practices would result in better protection. The threat environment is active and organisations across all sectors suffer a wide range of security incidents and harmful outcomes every year. Regardless of current levels of harm, the level of harm would be lower if practices were improved.

The threat environment is worsening. It has been worsening across the last decade in several ways (in the range of threat, threat volume and threat severity). There is every expectation that the threat environment public and private sector organisations face will evolve substantially in the medium term and become substantially more virulent and pernicious.

However, organisations’ Business Protection practices haven’t changed much in the past ten years and changes have tended to be tactical or reactive more than structural or strategic.

It is possible that the current level of harmful outcomes has not been sufficient on its own to drive structural or strategic improvements in Business Protection practices.

In the face of a worsening threat landscape, organisations need to improve their Business Protection practices in order to maintain – at least – their present level of protection. If they do not, in the future they will continue to suffer greater and greater levels of harm.

Continuing to replicate the tactical solutions of the past will not help: To make structural progress, they must identify the roadblocks that have prevented progress in the past and address those where ever they might be, looking without complacency towards the organisational, governance and cultural fields.