How much of your success in security depends on other people?
The reality is most security success depends on other people. Budgeting and buy-in is essential. Projects often include or impact other teams. And real success means integrating security into the core functions of the business – which hinges on knowing what they are.
Security continues to gain attention in the executive suite. How do you earn the trust you need to get invited to the important conversations and decisions?
I recently explored this with Ed Snodgrass (LinkedIn), Chief Information Security Officer and Principal of Secure Digital Solutions. Ed has extensive security experience with two of the world’s largest retailers. He has led teams in security, compliance, risk, M&A and supply chain security.
We talked about the need to challenge traditional thinking and approaches in security to make the leap from “security resource with a team” to trusted leader. Ed shares ideas on how to remove the limits we’ve placed on ourselves to improve our programs and earn the respect we need to keep making advancements.
Why do traditional security metrics end up limiting our efforts?
Traditional security metrics are operational in nature. Operational metrics are important because they provide hard data into what the technology is capable of and how it’s performing. The challenge is translating those operational insights into value for someone else. Reporting that we stopped 50,000 phishing attempts last month and expecting that number to stand on its own fails to help our case. It seems like big numbers back up a phishing threat. And 50,000 is a big number. The problem is the implication of stopping 50,000 attempts is what, exactly?
Translate that into dollars. How much potential financial/brand/IP damage did security mitigate by blocking those 50k attempts?
Compare that to the investment in the respective people/process/technology combating phishing in the org and the ROI likely becomes clear very quickly. Or sometimes it doesn’t. That means we need to take an approach that takes what we know and presents it in a way the business understands.
How do we translate security experience and success into what the business understands?
Each company executive has a mission. They need to quantify and communicate challenges and successes using standard company concepts and language. The key for security professionals is to learn to use the lingo and concepts of the company. Be part of the team. It’s no so much learning a new language as it is learning how to relate to everyone else in the company.
The business of security is complex. It’s up to us as security leaders to translate what our security organizations do into something that the business can use to make strategic decisions.
One way to do that is to use the company’s Enterprise Risk Management (ERM) scale or framework. That’s what the board is focused on. Because of the shared attention, it’s critical to be able to equate a ‘high’ security risk to a ‘high’ technical or financial risk as well as being able to quantify that risk in terms of what the board level KPIs are (loss of brand/reputation, fines and penalties, loss of IP, etc.).
It’s not easy but it can be done. Instead of simply telling people about a risk, explain why it’s a risk to security and ask them what it means to them.
- How could it lead to loss of POS availability for a retail CIO, fraud for a financial services CFO or loss of proprietary IP for a technology company CTO?
- When they ‘get’ it, does that understanding now change their strategic business goals?
- What is their perceived level of risk to their respective business?
Based on what they share, have the discussion about how security can plug in to their roadmap to mitigate the risk and collectively accomplish the mission. That creates the partnership we need for security success.
Why do security leaders need to move past capability to focus on capacity?
The capability of a security team includes the people, process, and technology. Assessing the talent, tools, and ability to combat regular threats is “table stakes” for a security leader. Often overlooked is the capacity of the team.
Capacity is a clear understanding of how well the security capabilities can adapt, respond, and meet future initiatives. And while staffing factors in, capacity is more than the number of people on the team.
Capability with capacity determine the maturity of the security program. Understanding capacity gives insight into how the team evolves.
For example, if the company decides to pursue a large merger, does your security org have the capacity to assess risk and support systems integration by realigning current resources or will you have to hire talent that you don’t have today? Can your org support IT’s transition from Waterfall to Agile? Do you know? Chances are, the answers to those questions will affect the business decisions. Knowing how mature the security organization is gives visibility into how to effectively move things around to get the results needed.
How does diligent practice with consistent results get security invited to the table?
The CISO ‘having a seat at the table’ is frequently discussed in the industry. Opinions abound to explain why it does or doesn’t happen. In my experience, it starts with partnership. A true partnership is more than just being at the same level on the org chart as the company’s business and technical leadership. It takes time and effort to build solid relationships with security’s peers. Invest in those relationships to truly understand how the business functions. Make time to understand what goals and objectives your colleagues have. Find out what they need be successful. Based on your understanding of their needs, propose proactive ideas and solutions that will allow them to accomplish their mission securely. Share the strategic security roadmap and discuss alignment.
Is it easy? No. That’s why it takes diligent – and sometimes patient – practice. It takes time to build trusted relationships.
Expect pushback and questions from business leaders. Instead of bristling when it happens and taking a defensive stance, encourage it. Seek out the questions. Solutioning starts when everyone knows the challenge.
These discussions keep security leaders up to speed on the business as well as the obstacles our peers face and form the basis for strategic solutions that drive positive change, improve scale and offer competitive advantage. In turn, it increases the business’s understanding and appreciation of security’s mission.
Over time, this is how you gain the trust and respect necessary to be consistently included in key activities and events.
How do you recommend a security leader take the first steps?
Start by choosing a framework. With plenty to select from, pick the one that best suits your model and allows for the most effective measurement and communication. Use the framework to assess your current situation. Explore how to connect your framework to your organizational ERM strategy.
Then invest the time to align your framework and team roadmap to relevant regulations and requirements. Make sure you can explain how and why to a business colleague. Take the time to get the translation right. Meet with your peers and expect to work through a few iterations to get it right.
Use where you are as a starting point and set reasonable goals.
Communicate the goals to IT and business leadership and quantify metrics to measure the progress toward and successful accomplishment of those goals. The metrics could be risk reduction, efficiency, dollars, new capabilities, etc. – whatever is most appropriate to your organization. The important thing is that everyone knows what they are and what they mean so that security’s successes are clearly understood. One way to do this is to map applicable controls to security program processes. It provides an effective way to speak to capacity and capabilities while bringing to the table meaningful and repeatable KPI’s the business can easily understand.