I have often wondered why the “security as an enabler” model is as unique as unicorns in the wild. I think the logic works in a vacuum and it would be great if it held true. However when humans and politics (layer 8 stuff) come into the mix, it seems that the cybersecurity team tend to be viewed as the naysayers that block progress. Quite honestly, the “security as an enabler” mantra only seems to work for those organizations that are directly profiting from the sale of cybersecurity. Those that understand the role cybersecurity plays in a typical organization realize that this is unfortunate.
With this thought in mind, I was reading through an article about the traits of CEO’s and found points that I think contribute to these challenges for information security:
- Bias toward action
- Forward Thinking
By no means am I criticizing CEO’s for these traits—they are primary contributors to keeping a given business relevant in its industry. I’m just using these to help explain the fallacy of the existence of a “security as an enabler” mindset within a typical organization.
CEO’s are the highest single point of authority within an organization. They often appoint CSO’s (Chief Security Officers) or CISO’s (Chief Information Security Officers) to be responsible for security and/or information security. These security roles would be directly or indirectly subordinate to the CEO.
As a general practice, the CEO will be continually inundated with ideas from internal and external sources. These ideas are meant to solve business challenges, increase profits or increase the organizations relevance in an industry. The “bias toward action” and “forward thinking” attributes of a CEO, combined with a surplus of ideas, can lead the organization into a lot of new directions.
One other CEO attribute identified in the article is “Willingness to take calculated risks”. On the surface, this seems to be the counterbalance required to keep the chaos at bay. In reality, I’m sure it does keep a lot of ideas from making their way TOWARD fruition. However, the ability to calculate risks around complex technological systems is very difficult and requires individuals who understand both risk and technology.
I think it is this bias toward action that combines with other common motivators that make CEOs successful and creates a healthy ecosystem for ideas. From the lens of a cybersecurity professional, each of these ideas have associated risks. To be effective in the role of cybersecurity, it is imperative to figure out how to effectively manage these risk.
To remain relevant and increase efficacy, there are a few things that professionals should do. I have included a few of those items here:
- Avoid saying no—when possible, offer solutions not roadblocks.
- Engage Risk Teams if they exists—if the organization has a risk officer, focus on cybersecurity and work with that individual to determine and sell the risk factors to the organization.
- Offer examples, not FUD—the industry is chock full of fear, uncertainty and doubt. While there is nothing wrong with explaining “what could happen”, that message eventually begins falling on deaf ears. A more impactful message is to share top of mind concerns that have happened in similar organizations.
- Don’t secure (but DO mitigate and manage)—It is impossible to deal in absolutes as it pertains to information security. However it is important to manage security and mitigate risk. Professionals need to be careful and not oversell the capabilities as the attack surface is widening.
- Assess Benefit vs Risk—This is an organizational level charter that is important for gaging whether or not the risk of a new solution or product has the organization benefit to offset the predetermined risk (that does exist).
The goal of cybersecurity professionals working within an organization must be to effectively manage risk. This requires becoming core to the operation of the organization and requires the cybersecurity team to become and remain relevant. Each organization has different challenges both internally and in the services they offer. Cybersecurity professionals working with the true best interest of the organization in mind and working to understand stakeholders will remain more relevant to the business. These relationships will help to further move the needle toward security as an enabler.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.