For many, the changing of the calendar is an invitation to make resolutions for the New Year. And like the gym parking lots full of cars in January, those resolutions fade quickly as the reality of life sets back in.
This year, instead of relying on predictions and making resolutions, pick a pathway designed to bring success. Take actions to guide the work of the security team in a way that makes subtle, but lasting changes to the way the business is protected.
Choosing this path allows you to focus on the right things. It leads to a year of measurable success that sets the stage for an even brighter future.
Consider these three steps as intentions to guide the practice of security.
1. Learn the business
The role of the security professional is to protect the business. While awareness of technologies and changing threat landscapes is necessary, success requires a fundamental understanding of what the business values… and why.
Over the last few months, during speaking and client engagements, I asked CIOs and CISOs to list the three most important priorities of the business. Not the broad goals of making money, providing service, etc., but the actual programs and actions that created the most value for the company.
The common response was a smile followed by an awkward pause. In the last six months of asking that question, I only count a handful (literally, less than 5 out of over 500 people) that could answer.
If you cannot answer the three top priorities of the company -- and understand what they mean, how they flow, how they create value -- then what are you basing your efforts on? How are you deciding which projects to fund, where to allocate resources, what meetings to attend, and so forth?
As a first step, find out what the CEO, COO, and/or CFO consider the priorities. Admittedly, the priorities of a business are often broad, confusing, and not widely understood the same way. That means it is not only essential to learn them and demonstrate mutual understanding, but it also creates an opportunity to provide value to others by helping them build a better understanding of what matters most.
Equally important is making sure your team shares the same mutual understanding. These priorities guide the daily, weekly, and project-based efforts.
2. Provide minimum viable security
A recent client was faced with the common challenge of a business group flat-out ignoring the security team. In addition to creating friction between the teams, the concern was the business unit spending money on “shadow security” in a way that would increase the cost (and complexity) of audits while increasing overall company risk.
During a closed-door session of the security team leadership, we explored the situation from the perspective of the business unit. At the whiteboard, we documented the challenges, pressures, constraints, and other stresses the business unit faced. With the board full of words, lines and symbols, it became clear that the current approach of the security team was simply creating more stress without providing a recognized benefit to the business.
The efforts to provide ‘security’ simply forced the business to make the decision between revenue and regulated activities or incorporating security they didn’t understand.
To remedy the situation, I proposed taking a different approach: work with the business to pick the path of the minimum necessary security. It meant going to the business with a different value, “we’ll help you do the minimum necessary -- to protect what matters most and remain in compliance.” This allows the business to free up resources (people, time, and money) to focus on their higher priorities, while still managing security needs.
Similar in concept to “minimum viable product,” providing the “minimum viable security” means shifting from the “team of no” with a complex list of requirements to the trusted advisors working to keep focused on what matters to the business while still paying just enough attention to security.
A few of us kicked around this concept last Fall and Peter Hesse recently started to define and build on what this means so businesses can operationalize the concept.
Bottom line: minimum viable security is providing precisely what is needed, matched to the priorities of the business.
3. Prioritize security efforts accordingly
If everything is a priority, then nothing is a priority.
Individuals and teams in security need a clear understanding of their top three priorities. Just because you (or your team) can do something doesn’t mean you should.
By understanding the priorities of the business and charting the path of minimum viable security, it is possible to define what matters most to the security team. The overall priorities of the team need to be established and mutually understood. And then individual priorities - based on skill set and responsibility - fleshed out to advance the goals of the team.
A model I’ve used successfully with clients includes focusing on three areas:
- Framework (guidance): a blend of architecture, good practices, compliance, and the elements necessary to provide a consistent approach and enable (minimum viable) security across the organization
- Visibility (evidence and insight): dual purpose of (continuous) monitoring for compliance with the framework and minimum viable security as well as searching for unknown and unexpected activity on the network and systems of the enterprise
- Engagement: the focus on building relationships to both reach out to different groups and serve as the central contact for individuals and teams with security questions in a way that provides outstanding service that advances security
While your model may look different, the goal is to focus on the three areas that create the most value from security for the business.
Security is successful when the business creates value
It's time to face the fact, that in business, our focus is not on securing everything. Instead, our role is to provide the right blend and just enough security to protect business assets in a way that allows the business to increase value.
It means moving from a stance of telling people what to do, to a collaborative approach that communicates value and helps people make the right decisions. With that understanding, partner with the business to learn how they achieve those goals. And then look for ways to make a difference.
We need to be responsive to the business. We need to increase business value. The way we do that is to help others protect what matters to them… in the least intrusive, least impactful way.
Make these three intentions the focus and improve security by helping the business increase value.