Myrna Soto has witnessed throughout her career the significant impact that business-minded security professionals can have on security success, so much so that she created a new position — the business information security officer (BISO) — during her tenure as global CISO with Comcast.
These BISOs cultivated relationships with business unit leaders to better understand the processes, transactions, initiatives and objectives that made their departments — and the company as a whole — tick.
The BISOs had to be more than technically astute and security minded to do well in their roles, and they had to be more than good communicators and fast learners. They had to understand business terms and principles, too.
To make sure they did, Soto embedded them within the business units for tours of duty and found other ways to sharpen their business acumen.
“If we did nothing other than that, we still would have gotten a tremendous value because that really opened those security professionals’ eyes to business needs and perspectives,” Soto says.
Myrna SotoNow chief strategy and trust officer at cybersecurity software firm Forcepoint, Soto still seeks to cultivate business skills among security pros through similar cross-functional engagements in part because she says the most successful security leaders she knows have worked in operational roles. They’ve managed teams and had responsibilities around business investments and operational expenses, with line of sight to profit and loss (P&L).
The desire for business-savvy security teams is on the upswing, with the need for business acumen increasing as security pros seek to advance their careers into management and executive ranks, according to CISOs and other leading security practitioners. Indeed: (ISC)², a non-profit training and certification organization, recently listed it as one of the top 10 critical skills for the cybersecurity workforce.
“They have to have a sense of why we’re securing the business. In other words, what’s the business’ goal? Because if you don’t understand what you’re securing from a business perspective, how can you make that risk-based analysis?” Soto says. “It’s the so what to what we’re doing.”
Despite the increasing interest in business aptitude, experts say security professionals still enter the field with little (or no) business experience and with limited insight into business mechanics. That then means CISOs who want business-savvy teams must build those capabilities in their staff themselves.
It’s worth the effort.
Organizations are losing more of their technology perimeters, with cloud, remote work and other technology trends eradicating IT boundaries while creating more complexity for security. As a result, security teams must understand how to enable processes while lowering risk — a task that at its very core means understanding what’s most valuable to the organization and thus what needs to be protected without being obstructive.
Ralph Russo“There is a very strong case for a security function that is complementary, highly tuned to the business [so] instead of security saying ‘no,’ security could be the folks that say, ‘I recognize the need for this change/addition and the business reason for it, and here’s the best way to do it securely,’” says Ralph Russo, director of the Tulane University School of Professional Advancement Information Technology Program.
CISOs such as Soto are findings ways to inject more business skills into their teams through recruitment, training and staffing strategies meant to broaden their workers’ horizons —strategies that they say are paying off with stronger security and better aligned risk management.
Here, CISOs and other leaders share their advice for bringing a business mindset to enterprise security teams:
Lead by example
CISOs should position themselves as business enablers and cast off the idea that their job is to protect the company, says veteran CISO Barak Engel, founder and chief geek with EAmmune, a data governance and security risk management consulting firm. As such, CISOs need to frame their work in business terms. They should, for example, quantify the benefit of security initiatives by how much it reduces risks and articulate how the organization’s security posture supports strategic objectives.
Barak EngelBut the work can’t stop there if CISOs want to build a truly business savvy team. Instead, they need to expect their direct reports and then their staff members to shift their views and descriptions of cybersecurity to risk and business enablement, experts advise.
“The place to start is almost always the language we use, switching to the language of the business. A lot of CISOs have figured this out, but it needs to go to the next level and across the team,” says Tony Velleca, CISO of UST Global and CEO of CyberProof, a UST Global company.
Others agree, saying that they push their teams to learn how their companies make money, how it makes risk decisions and how it defines its missions. They acknowledge that they don’t expect their security workers to be financial experts or hold MBAs, but they do want them to know how to read a P&L statement and understand targeted business outcomes.
Tony Velleca“The CISO has to sit down with the business and have an honest conversation about what they’re trying to accomplish and then make sure they align,” says Candy Alexander, international president of the Information Systems Security Association (ISSA) as well as CISO and executive consultant at NeuEon Inc.
Alexander says CISOs can then take that back to their staff members, explaining their work with the same business language and establishing business-oriented metrics to measure the success of security team initiatives.
“So when new projects come up, the CISO can work with staff to understand how they fit in with the bigger business picture,” she adds.
Create opportunities for more cross-function experiences
As Comcast CISO, Soto leveraged her BISOs to gain an increased line of sight across all the business units that her security organization supported. But she says other programs that crosspollinated security and business are also valuable. For instance, she has identified business-side workers who were technically savvy and brought them temporarily into the security department. And she has invested in business-level training for security workers.
Others go further, advocating for more security workers to spend some of their careers within business units so that they can sharpen their knowledge of how organizations operate and what they need to run.
Neil Daswani“It’s easy to fall into the trap of focusing only on the things that fall into your silo, but every security professional can become more business savvy if you can invest in their learning the business and understanding what’s most valuable,” says former CISO Neil Daswani, now co-director of the Stanford Advanced Security Certification program and co-author of Foundations of Security: What Every Programmer Needs To Know.
Embedding security in IT — and more specifically on development teams — is another way to help security professionals get such insights into the enterprise, Russo says. His advocacy mirrors trends already under way in many organizations as they adopt a “shift left” philosophy for secure software development, DevSecOps and other such methodologies that aim to bring security into business initiatives at the earliest stages.
Russo says such moves mean security is looped into what the business wants within the regular course of their job duties.
“In this way, the security review and input would happen during backlog/planning activities, reviews, and retrospectives, so that tasks would be built with fealty to security. If fully embedded in this manner throughout the IT organization (risk management, DR/BC, contracting etc.) security members could then report back to centralized cybersecurity leadership on trends/needs/efficiency opportunities informed by the business ground truth,” Russo says.
He adds: “You’ve got to get the boots on the ground, get security analysts embedded into the IT operation, which should already be integrated with business users.”
Hire broader-minded talent
Cybersecurity and risk management expert David X Martin recommends seeking out candidates who have had experience outside of security, such as having worked on a product team or in a business unit. And he suggests finding those whose personal interests and hobbies indicate that they’ve cultivated a perspective beyond their professional life, a perspective that can be carried into their job. “You want someone who really understands what’s going on beyond their area of expertise because you want someone who can think about alternatives, who can show they understand the underlying business problems,” Martin says. “They may be unicorns, but they’re out there.”
David X MartinJeffrey W. Brown, CISO for the State of Connecticut and author of the forthcoming The Security Executive’s Communications Playbook, says he seeks out business-minded candidates and “people who show a genuine curiosity about the business, who want to know how the business operates.”
He says candidates who have read through the organization’s financials or mission statements or who come ready with questions about its future and its strategy reveal that they have an interest in learning the business. “Even when they ask about top IT projects, they’re showing a curiosity for more than security. That’s a step in the right direction,” Brown says.
Dave Estlick, CISO for Chipotle Mexican Grill, takes a similar tack, noting that he has hired people with experience and expertise in areas such as supply chain systems and then trained them in security in order to add that business acumen to his team.
Cultivate a business mindset in staff members
Making good hires is a start, but veteran CISOs say they then build on that curiosity and interest, taking advantage of informal opportunities to train their teams on business principles and processes.
Dave EstlickEstlick, for example, says he builds business knowledge among his staffers by having them sit in on analyst calls and business meetings.
Brown says in previous organizations he has had business-side executives and managers speak with his security staffers about their objectives and requirements.
“The team took away a better sense of what the business is; they get some industry perspective, the competitive pressures, the business strategy, and it gives them a better sense of community – they see they’re part of a broader organization,” he says, adding that he plans to spin up something similar at his current job as well.
Jeffrey W. BrownMartin also took similar steps when he was chief risk officer at an asset management firm, bringing security staffers to new product meetings and inviting workers from the operations teams to meet with the security staff “so they understood what the issues were.”
“The more interaction you have with the business, the better trained the security people will be and the more business savvy they’ll become,” Martin adds. “And put an emphasis on that when you evaluate your team.”