Businesses are transforming at a faster pace than ever before and security leaders are recognizing the need for their programs to keep pace. What does transformation mean to businesses? According to our CISO interviews, many said business transformation means digitization, moving to the cloud, and investments in innovative technologies.
HOW THIS IMPACTS SECURITY?
Chris Lugo, Global CISO, Danaher Corporation (profile on page 4) says, “You have to keep the business intentions front of mind. Otherwise, as we’ve seen with advances in technology, our business partners, our stakeholders will move on without the security organization when the security organization isn’t able to move fast enough.”
Stacy Williams, CISO of Zappos (profile on page 8) says, “We are always trying to keep up with the business and be in the best position possible to support goals and initiatives that the business is looking to engage in.”
Furthermore, Mark Ferguson, the former CISO of Honeywell (profiled in June 2019) says, “Today businesses are transforming in many ways including digitization and moving to the cloud, something that enables the business to grow, yet security departments aren’t always equipped to keep up.”
As a security professional, there is a need for speed and agility, and it may be challenging to keep with the pace of the business. Often, every additional cycle you spend on a security review or building out a security control, could be a differentiator in how quickly a product or service goes to market. And often, the first company that gets an innovative product out could potentially dominate the market share for that particular space.
There is a great challenge as a security leader to attempt to understand how to inform the business on risks without being viewed as an obstructionist or an alarmist. Part of the objective is to provide a sense of calm in security leader’s evaluation of risk.
HOW TO KEEP PACE?
We asked our CISO community how they keep pace with the business transformations rapidly taking place. Some of their answers include being involved in enterprise architecture to inject security at the beginning of every project, building collaboration and engagement across an organization, and structuring a program around trust.
On page 6, we interview Sean Walls, CISO, Visonworks. Walls believes many CISOs struggle to be involved in strategic planning discussions around digital transformations, but since enterprise architecture is rolled under Walls, he strives to ensure technologies properly align with the future state reference architecture model, which focuses on standardizing and consolidating the technology stack.
Walls says, “If you own enterprise architecture like I do, then it’s easy because you just change the process so that you inject yourself right at the beginning of every project…If you don’t own enterprise architecture, then I would recommend meeting with the enterprise architecture team to make sure that they have a security architect on staff. If they don’t, offer to let them use your services, if bandwidth permits. Often, enterprise architecture will look at a project and focus on infrastructure, data, and applications, since most think that’s the core of enterprise architecture, but they’re missing a really important aspect, which is security.”
Sean Mack, CIO and CISO at Wiley (profile on page 12) encourages security leaders to look at increasing security by building collaboration and engagement across an organization instead of making security a blocker. He values security being part of every aspect of an organization, including strong security awareness amongst employees.
Mack says, “…Instead of putting up more gates, let’s automate our security so that it’s part of what we do every day. You can release fast and you can release securely. It’s also about being transparent. By sharing the issues with the other parts of the business you can increase awareness and get everyone involved in ensuring security.”
On page 11 Susan Wise, Chief Privacy Officer at Biogen shares her thoughts on cyber security in a Q&A. She says, “Cyber and privacy are of course only two areas of risk in the enterprise, but if there is a coordination between cyber and privacy, there is a real opportunity to help organizations advance not only risk management in these areas, but across the enterprise as well.”
Kevin Paige, CISO of Flexport, says trust is key to helping advance the organization. In his quote on cyber security and competitive advantages on page 19, a few key excerpts include, “When I’m talking to business partners, I use the word trust. It’s all about trust, right? We want our customers to trust us. We want our employees to trust us. We want our business partners to trust us. Especially if you’re a cloud platform or you want somebody to use a new cloud platform or technology or capability. You’ve got to trust it, and how do you trust it? How do you create that trust? How do we evolve that trust? People are going to use what they trust. If you have a brand that’s trusted, if you have capabilities that are trusted, if you have people that you work with who are trusted, that is the key. That is the competitive advantage, right?”
We want to encourage our CISO community to strive to keep pace and make a significant impact on the organizations they work for. This often means establishing a strong security program that directly aligns with the goals of the business. Executive and board alignment is key in ensuring security is brought into all strategic conversations about growth, expansion, and innovation taking place within organizations.
Subscribe
Stay up to date with cyber security trends and more