If you're a security leader some of your most critical responsibilities don't involve technology at all.
These non-technical responsibilities can be daunting for those who have spent their entire careers mostly dealing with technology and technical people. Here are a few key principles that I've found helpful.
Spend more time with other business leaders
When you're a security leader, you spend a lot of time with your own team. You need to supervise them and align priorities to focus on what is most important. Your team will constantly come to you with questions, issues, and potential threats to be concerned about.
Be careful, though. The need to work with your own team is critical, and it will be easy to fill your days talking with just them, working to put out the latest potential fire, or contain a threat. After all, that's probably where you're most comfortable — because 1) you have an innate kinship with other security professionals, and 2) you feel it is your duty as the team's leader to be there for them first and foremost.
The challenge is that while managing your team is critical, it is equally or more important as a leader in the organization to spend time with your peer C- or SVP-level managers. That includes your company's leaders in finance, operations, IT, business development, and R&D. Why?
You need to nurture these relationships because:
- They're making decisions that will impact security. If those decisions aren't informed by their security implications, you will have to solve a whole lot of big problems after the fact — instead of helping build security into all other business decisions across your organization (which is more efficient).
- You need to learn their language. Business decisions aren't made on the basis of Log4j vulnerabilities and .NET code. They're made on the basis of perceived risk, market opportunities, and net present value. If you're going to effectively represent security at the executive and board level, you'll have to learn to speak executive and board language. And, part of learning any language is immersion.
- You need to be a peer, not an outsider. If you don't build relationships with your company's other top managers, your security agenda can easily be seen as a burden and impediment to driving change quickly. You want to be perceived as a trusted member of the team who is only looking out for everyone's best interests. But you can't be perceived that way if you don't spend time listening to what everyone else outside of security has to say.
Given all the challenges you and your security team face daily, sitting in on a meeting about your company's long-term strategy for a differentiated customer experience may feel like a waste of time. It isn't, though — because multiple aspects of that strategy can materially affect your security challenges and your security budget.
Always connect risk to business impact
Security professionals rightly take a lot of pride in what they do. Since what they do is prevent a breach, they tend to view any intrusion as a failure, and risk is defined as the possibility of an intrusion.
But to the business, risk isn't the possibility of an intrusion. It's the probability of an intrusion that adversely impacts the business in some tangible, quantifiable way.
The distinction between these two different understandings of “risk” is non-trivial. If you take a purely technical approach to risk, you can spend a lot of money and a lot of effort on addressing issues that would ultimately cost your company little more than a few hours of lost productivity in a remote office. If you focus on business impact, on the other hand, you'll appropriately allocate more resources to ensure that your company avoids a problem that's less likely to occur — but more likely, if it does occur, to result in a Very Bad Day that costs millions in revenue, alienated customers, and an erosion in brand value.
An impact-centric mentality will drive you to focus a lot more on rapid, effective intrusion detection and response. And that's smart — because the longer you allow intruders to probe your environment after their initial penetration, the greater the likelihood that they're going to be able to do something devastating to your company and your customers.
Security leaders who allocate their budgets based on business risk are also more likely to leverage external expertise and services — which enjoy economies of scale — than they are to grow their staff headcount. This is especially true given how hard it is to find, recruit, and retain security talent in-house.
I know these decisions on where to grow internal expertise vs. leverage outside are not trivial. As a CISO of a security solution provider, our business success depends in no small part on our proven ability to protect ourselves from the same threats everyone else faces.
And, as CISO, I use the same managed XDR service that Secureworks® sells to you. That's because Taegis™ ManagedXDR is technically effective and economically efficient. And for CISOs, you know that the latter is as important as the former — because none of us have infinite resources, and there isn't an infinite supply of qualified security professionals.
To learn more about how you can best align your security conversations to that of the business, read this paper titled: Reporting to the Board of Directors: A Toolkit for CISOs.