How security leaders can resolve the tension of a mandate without authority

Brandon Hoffman shares insights and experience on how to approach security to get results with less conflict

ship wheel captain leadership
Thinkstock

Are you struggling against a mandate to prevent a breach?

A lot of pressure is placed on security leaders to prevent anything from going wrong. Same time, a lot of security leaders don’t feel they are given the authority they need to successfully achieve that mandate.

The responsibility of security leaders is a tricky topic. While security rests on our shoulders, ultimate success comes through working with other people. No longer individual contributors, it’s time to explore better ways to get the results we need.

That was the focus of the discussion I shared with Brandon Hoffman (LinkedIn, @brandonshoffman), Chief Technology Officer of Lumeta Corp. Brandon’s experience spans leadership in software companies and as a practitioner. He has broad exposure to the IT landscape based on his experience outside security working in financial, media, and as a consultant for a big four firm.

We explore the tension between mandate and authority to unpack what security leaders needed to do differently to deliver the success expected of us.

Are security leaders necessarily in conflict with the organization?

It may seem so in many organizations. Looking at the challenge with no inside perspective, in an altruistic context, it would seem that the security leader is tasked with a responsibility that hampers business. Many of the policies and procedures that exist currently are designed to protect data, people, systems and therefore may not have taken into consideration the business itself that is to be protected. This can manifest itself in what appears to be a conflict of agenda but upon deeper inspection most likely is really just a symptom.

Good policy and procedure is similar to good strategy. At its most basic and generic level it is a guideline. At least that's how it should be treated. A set of best practices and examples of what to do to protect whatever it is to which you are applying this policy or procedure. Unfortunately, the context is never added to these guidelines and are not only implemented without customization, but security leaders are measured on strict adherence allowing for no customization. This would be similar to taking a diet or exercise plan and expecting great results without adapting it to your body type or goals. There is no one size fits all and there never can be. Organizations have different goals, different data, and different business processes that makes them tick.

Isn’t the better question for security leaders “how do you build a security process around the business that exists?”

This is the most logical approach. Odds are the business existed in some form before there was any legitimate concern about information security. Assuming that's true and the business continues to be successful at their stated business it's safe to assume there exists quite a bit of process and procedure around simply conducting that business. Enter concerns about security that carry with them a prescribed set of procedures and processes that should not simply be implemented. They should be INTEGRATED into the existing process. Without considering the pre-existing business process on which the company operates, layering in additional processes will necessarily introduce conflict.

In order to get closer to whatever security success metrics or goals that have been outlined, it is critical that the security processes be augmented or customized to the environment within which they will operate. In certain cases the long standing business process may need a tweak or two and the security processes will definitely need to adapt. Too often it feels like security leaders are placed in a position of implementing ironclad policies or even products without having the opportunity to first ask the appropriate questions of: why are we doing this? What is our goal? How did we address this before? What business function am I trying to protect or might I interfere with?

How often are security leaders investing in security products before they even know what they need to do?

This is a long-standing concern with folks in the security industry who have a genuine interest in their customers success. I am not saying we all don't have that but this is a poignant concern. It is what I call marketing-driven security. In many cases it is easy to follow the trends in the industry and read the reports of hot technology and jump on the bandwagon. Certainly this has appeal when reporting status or security program results to a savvy board. They read the same headlines and if the program is using the latest hot tech they are satisfied. Sadly that doesn't necessarily mean that the security objectives are being met. Many times it seems quite the opposite and often enough it is not always the security leader’s fault or within their realm of control.

The goal of any solution is to solve a specific set of challenges. In order to choose the right solution one must first determine they have the problems that solution proposes to solve. It is absolutely critical to understand the landscape of challenges and the category of issues that need to be addressed in a prioritized fashion before implementing or buying tools and solutions. Parallels of this situation can be drawn from many parts of life, such as construction. One does not simply go out and buy the hottest, newest, or most-on-sale tools at a hardware store. The first step is to determine what you are building, how to build it, and then determine the tools necessary to complete the task. This may seem simplistic and it is, but is very similar to drawing up a prioritized strategy for a security program.

Why is important to know what kind of company you are?

This is another axis of the challenges with security product investment and business process. In order to properly set direction you have to first understand what business you are really in. That will determine the priority of things that need to be protected. If the most valuable asset your company has is a specific set of data, be it customer data or intellectual property, the primary objective of the security program should be to simply protect that data. The majority of the program should be derived from principles that allow for protecting the data first and foremost. In this example one could go extreme and say, “Who cares that the hackers have penetrated the perimeter of the network- all of our sensitive data is encrypted.” Obviously that is an extreme statement and you should care about bad actors on the network. The point though is that as a security leader builds their strategy the core of the program and the goals of the program should be aligned with the business and protecting those assets first. Taking this approach will help solve the challenges of business process and product investment.

Where should a security leader start to learn more about the business?

In many cases this can be a cultural challenge. In other cases an organizational one. Security can be daunting and very new conceptually to many of the organizations’ leaders. Structurally the security team might be placed in a silo or restricted by reporting structure. Allowing the security leadership to work cross-functionally without significant restrictions will allow the security program and team to be more effective and integrated into the business from a long-term perspective.

Assuming there are no structural or cultural challenges, a security leader should spend time with other leaders in the organization. This time should be spent discussing the objectives those leaders have, their challenges, processes, techniques, and long term goals. This information should serve as critical input as the security leader garners the threads of business process, asset classification, and company strategy and weaves them into their security strategy. Ultimately, that strategy and program should become well-integrated into the business process providing maximum protection and minimal business friction. Besides, if security strangles the core business process too much, there may not be a business to protect in the end. But without some measure of protection the same result is possible. There is a delicate balance and  strong communication and teamwork can provide a solid enough foundation that balance is achievable.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies