The Dept. of Know Live!: 4 highlights from Rinki Sethi’s chat on success in modern security
Defining what it means to be successful in modern security is tricky. Effectively blocking threats shouldn’t be the only marker of success — in fact, if it is, there’s a likelihood you’ll fail.
As Kelly Shortridge, Bea Hughes, and I discussed on The Dept. of Know Live! last week, true success includes multiple factors. If you missed the session (don’t worry, you can still watch it), here are my favorite takeaways:
1. Security should be seen as a partner for the business
Security teams have often been thought of as the naysayers, or “the department of no,” but the tide is turning. We’re seeing more security practitioners sitting on boards, and boards themselves talking about security as the No. 1 business.
Modern security is all about understanding security’s relationship to the needs of the business. More than ever, companies are taking stock of how security can actually be a competitive advantage, and prioritizing it from the very beginning. While security leaders have traditionally been more technology-focused, they need just as much business savvy now to be successful and to understand how security can be a true partner to the business and enable business goals.
2. Championship must go beyond lip service
When security is just a checklist item for an executive, employees know, and it can be hard to create a positive culture around security. Modern security means partnering with business leaders across the company to ensure they can speak intelligently about security priorities. Executives all the way up to the CEO should be able to talk about key security initiatives with the same level of knowledge and enthusiasm they use for new products and features.
I’ve worked at companies that saw success by thinking of fun and creative ways for executives to talk about security, such as by starring in quirky security videos played at all-hands meetings. I’ve also seen executives actively review security risks during staff meetings, help create dashboards, and drive and own risk reduction in their departments. Those are measures that take championship beyond the lip service that we’ve become accustomed to.
3. Effectively measure and communicate risk
Risk is a hard thing to measure, which makes it difficult to determine what data will showcase the importance of a security initiative. This is why it’s helpful to look externally at attacks and threats that have created risk for other companies — nothing reinforces a point more than an example of what you don’t want to be.
I’ve found success in tailoring the message for the audience. A finance team and an engineering team have different priorities. It’s about being able to highlight existing risks, the metrics you’re tracking, and what those metrics mean for specific roles — like how an individual team’s work ties to risks and what can happen if their work is not done securely. It’s not a one-size-fits-all task, so putting on your psychologist hat and digging into what will make individual teams truly understand their impact is essential to success.
4. Cultivate strong partnership skills
It’s not uncommon for security teams to have a negative brand. Roles focused on shipping code, for example, may think, “If we partner with them, they’re going to slow us down and make our job harder.” This can cause people to bypass security altogether in the interest of speed.
If this is the case for your company, building a better security culture starts with taking a look at your security team to understand how it earned that reputation. Security teams should understand and align with business goals, but they also need to be confident that mitigating risk will not fall completely on their shoulders. That’s done with executive sponsorship. Once you have that executive buy-in, you can insert the checkpoints and gates and implement processes that partners across the company can be accountable to. Ensuring that everyone is on board and that healthy feedback loops are in place builds shared accountability and true partnership.
To sum it up
At the end of the day, success in modern security requires learning how security fits into the larger business context. It’s about prioritizing the security risks we’ve been battling for years, while finding ways to make them consumable to the business. That’s how security becomes a business priority and moves past being seen as “the department of no.”
Watch our full conversation on demand, and tune in later this week on March 10 at noon PST when Sounil Yu, CISO and Head of Research at JupiterOne, joins The Dept. of Know Live! to discuss how to make security an enabler of innovation.