You’ve just gone to a widely acclaimed movie, which lived up to all its hype and early glowing reviews. The lights have gone up, and you start to walk out of the theater. Chances are you are not sticking around to watch the credits scroll.
And you’ll probably pay no attention to the hundreds of behind-the-scenes experts who ensure the quality of everything from costumes and lighting to cinematography and business operations. That’s understandable–and yet, without those experts, that Academy Award-nominated film might never have made it to the big screen.
Security Engineering is a lot like that. Without world-class Security Engineering, all the noble goals for achieving rock-solid security in business operations and for securely rolling out new products and services would fall catastrophically short. Security Engineering is the organization’s digital SWAT team, typically rolling in just after a new business idea is conceived or the need for better cybersecurity hygiene is identified.
Security engineers don’t have the same high profile or broad responsibilities of a CISO; they don’t regularly meet with board members or the CEO. But if a cybersecurity initiative must be planned, deployed, monitored, and managed, they will have a huge presence in the business units. And in so doing, they will have extensive contact with C-suite executives and, in some cases, board members.
Because Security Engineering is embedded within the CISO’s organization, it’s understandable that business leaders may not have a deep understanding of their role and benefit to the organization. So let me share with you five ways in which your Security Engineering organization supports a more secure enterprise.
1. They are Responsible For Getting the Requirements Right. In cybersecurity, strategic initiatives must be supported with a sound, implementable plan. And that begins with understanding, documenting, and designing requirements into a solution format. The CEO and the CISO are going to have the critical initial discussions, but they will focus on big-picture goals, not on the game plan necessary to ensure that new IoT initiative can be rolled out without compromising customers’ personally identifiable information. That’s why security engineers need to be in on discussions with business shareholders as soon as possible, in order to nail the requirements from both a technical and, especially, a business operations standpoint. To do that, they do painstaking, end-to-end testing of assumptions and solutions options, all of which require constant communication and collaboration with business team members and subject-matter experts.
2. They Understand, Articulate, and Promote a Culture of Cybersecurity. If security engineers do not know, support, and shape their organization’s cybersecurity culture, they will not know which solutions will be most likely to be seamlessly adopted by business units, which ones will be ignored, and which ones will be actively opposed. Done expertly, security engineering promotes a cybersecurity culture that is in sync with the organization’s core values and behaviors. Because they are intimately involved as ambassadors of a strong, appropriate cybersecurity culture, they are passionate in helping business users embrace best practices that will make their jobs easier and give them more confidence, rather than impeding business innovation with cumbersome security processes.
3. They Appreciate That Technology is a Tool, Not a Panacea. Although security engineers are, by mindset and training, highly technical professionals, they are pragmatic about the practical limitations of cybersecurity technology. After a solution has been implemented, Security Engineering teams monitor its activity to understand how to improve it further, or how to fix something that unexpectedly goes off the rails. Rather than being stubbornly committed to justifying earlier technology assumptions, they are always on the lookout to advise leaders and governance/risk/compliance (GRC) teams on new policies that should be implemented to remediate risk, particularly as the already-rapid pace of technology innovation accelerates.
4. They Threat-Model the Solution, Not Just the Problem. All good security engineers do threat modeling on problems, but the great teams take it a step beyond and actually threat-model the solution. This rigorous approach helps them identify the existence and source of new threats that could impact business operations. They’ll even work with “red teams” (think of them as “ethical hackers”) to leverage their hacker mindset for innovative problem-solving approaches. As business leaders look to introduce more cutting-edge technology solutions around things like mobility, IoT, cloud, and artificial intelligence, this kind of mindset can be instrumental in ensuring good cybersecurity outcomes.
5. They Train Your Operational Teams. Even after all the planning, development, deployment, and outcome evaluation is done, security engineering remains on the job. One of their most important goals is to operationalize and monitor system activities, leading to a seamless hand-off to, and training of, operations teams in IT and business units.
At the end of the day, Security Engineering is a vital and increasingly integrated part of the marriage between the business side of the organization and the cybersecurity team, and it should be regarded and evaluated as such by top management. In fact, it’s not an overstatement to say that you can’t be truly cybersecure without an outstanding (and yes, well-resourced) security engineering team.
As the CEO, CISO, and board members increasingly collaborate to develop new business ideas that are secure from the onset, the Security Engineering team is likely to be in most, if not all, of the planning and update meetings with business leaders. Without a resourceful, creative, and dedicated Security Engineering team, positive business outcomes will be harder to come by.
Keep that in mind the next time you see someone step to the podium at the next Academy Awards.