When I first started working in private sector security after leaving the military, I took an approach that I see a lot of CISOs taking today.
I had a security program to implement. I would wrap my security measures around all the company’s technologies, despite what users or business groups had to say about it. And I would drop the security program on the company like sod on cement, with a giant thud.
Well, it turns out, sod doesn’t grow very well on cement. For grass to really take root, it has to be in the right soil, and the right climate. It has to be planted carefully, watered and fertilized. And to torture the metaphor further, it has to be the right species of grass for the conditions and the application.
In security terms — when you don’t understand the organism you’re applying controls to, you end up just putting a wrapper around everything instead of building targeted, integrated controls. Inevitably, this slows things down. And what’s worse, it also ends up creating shadow IT as business groups circumvent your measures so they can get back to business.
Once I figured this out, I found ways to build control systems that were an integral part of the business I was supporting. I expanded my vocabulary beyond the word “no.” Instead of cutting and pasting ISO 27001 and presenting it to stakeholders, I wrote every word of my policies.
As it turned out, those controls were not only more effective, but much of the time people weren’t even aware the security was there. And I was also having a lot more fun.
This is not just a shift in mindset or culture, and it’s not just for one particular organization. This is a necessary change that’s happening throughout the broader IT industry. Today’s IT environment is no longer centralized, and we need to recognize that this shift means the security function can no longer be centralized either.
And it has to be a team effort. Today some CISOs are still trying to take on not just the practice of security, but also the practice of understanding everything they’re trying to secure. But the entire risk portfolio of any good-sized business has just become too large.
In order to balance the needs of the business with the need to contain risk, security teams must become security solution partners and work in the trenches to make security intrinsic to the applications, systems and data that power the company. In fact, many businesses have made a similar transformation in support of the decentralization of IT functions into the lines of business and the structure is described and codified in ITIL Version 3, as Business Relationship Management.
At the same time, leaders on the business side need to better understand security too. They’ve become much more sophisticated in understanding IT, and they need bring that same level of sophistication to security.
Embedding security pros as solution partners facilitates the type of ongoing dialog that elevates the conversation on both sides. When that happens, it enables the whole company to become more agile. This approach enables you to start those conversations and create expertise in your business groups that will pay off later.
Today I see the role of security professionals as more of advisors, as champions of risk. We become most successful when we govern the process, but understand that the business groups are the primary stakeholders. It’s our job as security pros to help those stakeholders understand the language of risk.
In doing so, we’ll find they want to carry more of the responsibility on their own, such as conducting their own risk assessments. The business groups are in a much better position to do so anyway — since they know their systems, processes and protocols.
As an advisor, you’re able to tell them when a particular set of data falls under a certain regulation, what the external risk is, or whether their current treatment of that data introduces risk of noncompliance. They need your expertise just as you need theirs.
If you can make this shift and get to know your business partners, their processes, the ways they operate and the manner in which data flows through their systems, you will work successfully together. You’ll find you can rely on the experts who understand what they’re trying to secure, and collectively you’ll be able to secure more, much faster.
Ultimately, you’ll end up with systems that work better. You’ll reduce risk. You’ll do it in a way that the business actually agrees to, and you’ll have security that enhances the business instead of slowing it down.
And maybe you’ll even have a little more time to kick back in the grass.
