In many organizations, the security department is a nebulous thing. Everybody knows it’s necessary, but nobody really knows why it does what it does.
It’s time to break out of that backroom enterprise mode.
We have to enroll everyone in a vision where an organization’s security isn’t solely the responsibility of the security department, but everyone’s responsibility. In order to do that, you have to take security from out of the shadows and bring it to the forefront so people realize the important role security plays as an active business contributor.
Usually, the folks responsible for making the money are the visible ones in the company. But we play an important role in the retention of money, and maintaining the customer confidence necessary to obtain that revenue. Because if your company is getting hacked all the time, it’s losing customers over the idea that it’s careless and not doing the things it should be doing.
Companies need to realize that security organizations can prevent that sort of costly reputational damage.
Two things are crucial to changing the mindset about who we are and why our work is important: communications and data.
Take the time to communicate throughout the organization what the security team does, what it’s responsible and accountable for, and how people can reach out when they have an issue or question.
To get your messages across, there’s nothing more powerful than the all-hands address. If your company has routine employee meetings, tell the leadership team that you’d like to address the staff. Take that opportunity to let people know who you are, and how to reach out to you.
You should also take time to do newsletters, because they’re an effective way to communicate. I’d also advise sitting down with the leaders inside your organization, no matter where you report, and introduce your team and its capabilities.
It’s also critical to embed yourselves in routine strategy meetings. CISOs tend to be in very high-level conversations these days, but the mid-level strategy layer where things get done is equally important.
You also have to make your team more accessible.
Let’s be honest: We have to make sure we don’t put together a team of introverts. We’ve got to take the time to understand the workstyle and language of the people we hire so we’ve got some folks who are good at customer service and networking, as well as some folks who are really good at the technical.
As a business leader, you have to tell your team that you expect it to be out in front and network with the rest of the organization. That you expect it to know what the different departments in the organization do, how they function, and what their workstyle is so we have an opportunity to secure the business. That it’s critical to be a visible and well-known partner in the organization.
This requires a paradigm shift. A lot of people in technology are introverted, and you’re going to have to struggle with those folks who don’t want to be out in front.
We, as CISOs, must be a role model in this industry shift. My biggest tip is for you to transition from the person with the title of chief information security officer to the person who’s most visible. If everybody sees you all the time, then your team will come along with you in that transition from obscurity to being out in the light.
If communication is the most important tool to emerging from the shadows, then data is a close second. Data-driven teams are always more successful because they can tell a better story.
Security tends to be a very anecdotal enterprise. You use anecdotes about the bogeyman and the bad things that happen all around you to support your desire to improve security. But when all of your decisions are made using data, you immediately have a source of truth that other people have to be enrolled in because it’s in their face.
In the last couple of years, I’ve made my team data driven. What happens in the external environment is a data point. We look at things like industry trends. We pull data from what happens in our own organization.
When you’re a data-driven organization, you can’t be in the shadows because the extrapolation of that data in the first place is a very public event. You’re collecting information from all around the business, and everyone knows you’re there. When you make these decisions using these data points, proof of life exists.
The combination of data and communications makes you an essential hub of information for the business. It puts you front and center along with revenue generators and everybody else, so people recognize the importance of what you do.