Challenging perceptions around Security, Business Protection, Risk and

The Security Transformation Research Foundation has for objective to challenge the way Security, Business Protection, Risk and Controls functions are currently perceived, governed and operated across the large enterprise and identify the reasons preventing structural progress in those areas


The concept of Security is driven by the dynamic relationship between the level of threat, the level of protection against those threats and the potential level of harmful outcomes. The level of protection results in some sort of balance between the level of threat and the level of harm. If the level of threat were to increase, the level of harm would increase and that would drive an increase in the level of protection until a balance is restored.

For dynamic systems such as this, the amount of practice improvement that results from a change in threat is a reflection of ‘force’ and ‘friction’. The ‘force’ driving improvement is the perceived “return” or “benefit” i.e. the reduction in harm that can expected for the effort and investment required to make the protection improvements. The ‘friction’ impeding change arises from organisational inertia and any barriers that stand in the way.

In the Information Security space, organisational inertia is not sufficient on its own to explain the disparity between present Information Protection practices and Best Practice. There are too many organisations that are too far short of Best Practice for inertia to be a sufficient explanation. In addition, the people responsible for equipping an organisation with a suitable Information Protection practices are, on the whole, motivated to provide better protection and would do so if they were able.

Other reasons are needed to explain the lack of structural or strategic improvement in Information Protection practices over the past ten to fifteen years.

If the reasons preventing structural progress in the Information Protection space could be identified and overcome (where appropriate), significant practice improvements could be made enabling organisations to improve the level of Information Protection they achieve and reduce the future levels of harm they suffer.