When I started in the field of information security over 20 years ago, securing the perimeter seemed like an achievable goal. Much of the focus was on network penetration, intrusion detection, and securing host devices. Cybersecurity conversations were highly technical, impenetrable to those not versed in the area, and often ignored business imperatives. The assumption about security was that one approach would fit all.
Today’s environments are quite different. We have mobile devices everywhere, cloud services, virtual infrastructure, personal applications being used at any place any time, and smart things inside and outside of our organizations. Our networks are fluid, perpetually changing based on new data sources that often look and act nothing like traditional computer endpoints. Now, add in a few other factors like a creeping compliance footprint, stringent data governance standards, and dramatically higher costs of service interruptions.
That old organizational model of the security team off by itself, hunting for and fixing problems far away from the centers of business activity, no longer makes any sense. Security must take place where the action is—in the business units, in close concert with business stakeholders.
Any organization that does not give security a seat at the table—and within every department of the enterprise—is setting itself up for higher risk and far greater chance of failure. Even more than sophisticated new tools and more useful services, this is critical to a safe and secure organization.
When I think about this new security paradigm, I look at it from three angles:
- Why security must have a seat at the table.
- Why that has to happen in every department.
- How you make that happen.
First, security has to have a seat at the table because what we are being asked to secure is not the technical underpinnings such as servers, storage, networks, and software. What is being protected are data, identities, intellectual property, and business processes. As security professionals, we have built our careers on a foundation of technical knowledge and access to great security tools. But that no longer is enough.
Security is rooted in improving business outcomes and reducing business risk. That means we have to understand where we have commercially sensitive assets and how those assets are connected to the organization’s core business processes. Because so many CISOs have come up through the technical side of the house, they are not innately comfortable with business issues such as improving inventory turns, enhancing brand reputation, or facilitating supply chains.
We need partners on the business side—and they need us—probably more than they might know or be willing to admit. When we sit together and discuss cybersecurity threats to business operations and the impact on our sales, profits, and reputation, our collaboration inevitably yields a broader array of issues, richer solutions, and better execution to secure our digital businesses. And, because security budgets are increasingly funded by different business units rather than solely from a central InfoSec budget, we all need to be on the same page when it comes to what we are going to spend money on and what our priorities need to be.
Now, let’s talk about the second issue: giving security a seat at the table in every department. With every organization becoming a data business, we’ve learned the hard way that all parts of an organization are at risk to malware, zero-day attacks, advanced persistent threats, identity theft, ransomware and more.
Attackers don’t just go after the engineering department’s pending patent applications, or the sales organization’s customer lists, or the CFO’s notes on pending acquisitions. Every department of every organization is at risk, and you must have your business leaders and your security team putting their heads together to identify risks, weigh potential impacts, plot strategies, execute defensive plans, and measure outcomes.
What experience has taught us is that our networks don’t just enable the free flow of data across boundaries and IT architectures; they actually act as catalysts for change. For instance, marketing campaigns yield digital data that salespeople use to interact with specific customers, which results in constantly morphing sales forecasts that interactively drive manufacturing build plans and component sourcing. When data crosses these dotted lines, security has to be integrated into every department. Bad guys don’t respect organizational boundaries.
So, when organizations begin to understand the necessity and benefit of giving security a seat at the table—within every department—it then comes down to what leadership can do in order to make that a reality.
One often-discussed approach involves rethinking the organizational chart—specifically, to whom the CISO should report. While in some industries the reporting line has started to change—most notably in the financial industry—the CISO more often than not reports into the CIO or CTO as part of the overall IT organization. This removes their ability to be part of the overall conversation around business strategy. Even if the CISO reports to a top business executive (rather than to the CIO or CTO), it is rare that this is enough to ensure security truly has a seat at the table across the organization.
The increased transition of DevOps into DevSecOps—where security becomes part of the application development process from the start rather than at the tail end of the process—is another important step in the right direction that business leaders would do well to understand and adopt.
Today, security risks can—and do—pop up anywhere and at any time. If security is not in lockstep with business stakeholders, threats will emerge, take root, and do potentially irreparable harm. You have to ensure that your security teams understand the business units’ goals and challenges, so security can be an enabler of business outcomes rather than an impediment to action. But how are you going to do that if the security team is ensconced in its ivory tower, intently monitoring network anomalies and shutting down systems at the hint of an incursion?
Unless your security teams are sitting at the table within every department, you are increasing your risk profile. With the escalating compliance, governance, and legal requirements—let alone ensuring that your business units have every opportunity to succeed—it’s a risk you can’t afford to take.
Kevin O’Leary is field chief security officer for Asia Pacific region at Palo Alto Networks.