With security ranking as a top concern at every company, you’re likely to find CISOs and CSOs who are equally comfortable in the boardroom and the server room. Security leaders now play a role that goes beyond traditional security duties and encompasses contributing to critical elements of the business. To excel in these expanded positions, they need more than IT acumen and a strong understanding of security. The new essential skills encompass being able to clearly articulate the importance of security to non-technical executives, show how security can help a company achieve its business goals and balance security with innovation.
Frame security in terms of risk to the business
Spewing technical terms to business executives and corporate boards won’t help CISOs convey the importance of security. C-suite executives and board members speak the language of revenue, profit margins and budgets, not firewalls, SIEMS and incident response.
To reach these audiences, security concerns need to be presented in the context of risk to the company. This is one area where security and business executives have a strong, mutual interest. Business executives want to avoid it while security executives handle mitigating it.
For security executives, this means explaining what risks the company could face it doesn’t enact certain security policies or take specific measures. Board members may not grasp why a CISO is pleading for a budget increase to purchase endpoint visibility software. But they will understand that without that software the company’s intellectual property may end up with a competitor if a hacker infiltrates the network, remains undetected for months and exfiltrates sensitive data. Explain the impact of the risk and avoid a technical discussion on the technology you plan to use.
Learn how security can help the company overcome obstacles
Successful security executives understand the challenges their company faces and how they can help overcome them. Learning what these challenges are requires CISOs and CSOs to unchain themselves from their desks and talk to other executives, department head and rank-and-file employees. Ask how the security team has failed them in the past and solicit ideas on how to alleviate obstacles that have prevented people from completing their jobs.
This exercise requires keen listening skills and a degree of humility. You may know how to reverse engineer malware, setup a firewall and all things related to information security. But you may not know about projects that should include the input of someone from the security team. For example, a CISO may not be aware that the product team is developing a mobile app that will ask users to input personally identifiable information. For security types, incorporating security features into the app before thousands of people download it is obviously preferable to trying to retroactively add it following an incident. But you may never know about that app until after it’s launched if you spend most of your day sitting at a desk. Information security can’t be conducted in a silo.
Add security early on to preserve innovation
Listening and talking to people outside of IT and security is also helpful in overcoming the perennial challenge of balancing security and innovation. Ideally, security should be incorporated from the start of a project. However, security is frequently seen as a hindrance to development and overlooked.
But by talking to co-workers, security executives can learn what other departments are up to and raise security concerns before a project is finished. The earlier security is considered, the better. Security professionals can offer flexible and adaptable solutions that preserve innovation as well as keep a product secure. Soliciting security’s advice with a project deadline looming or when a product is nearly complete leaves limited security options. In these situations, security can appear to stifle innovation.
A corporate culture that embraces security also helps companies balance security and innovation. This culture should grow over time as security departments show that security and innovation can co-exist. The other way to develop a security-focused culture is by having executives emphasize the importance of security. Again, this mindset is possible if security executives talk about security in the context of risk to the business and avoid technical terms.
For CISOs and CSOs to excel in their jobs they need to understand that their duties include much more than patching software. They’re also required to explain why security matters in a way that resonates with people from across an organization and figure out how security can help, not stymie, innovation.
This post previously appeared in the RSA Conference blog.
