Tag: Leadership

Security IS a Business Function

On October 15, 2021

In Application Security, Breaches, DevSecOps, Security Leadership

I hear and see a growing number of security leaders and executives talking about the job of security to “enable the business”. This is a promising sign that we’re getting better in security spaces about recognizing our true role and demonstrating our value to the organization. However, what I’ve also discovered is that when I ask probing questions of these leaders, many of them do not understand *how* security enables the business. They struggle to articulate just what it is about security that drives business success. I believe this is because we still look at security as separate from the business and that we need to approach security as a business function.

When we think about business support functions like our finance teams, our recruiting teams, our accounts payable/receivable teams, we’re able to clearly visualize the direct impact each of those makes (or at least should make) in driving business success. In most cases we can articulate how those are business functions in terms of their connection to generating revenue and maximizing bottom line income. When we think about security however, those lines are often harder for us to picture. Often, security is thought of as a technology function, a few steps removed from the core business and lacking the ability to directly impact the business. So how do we start to shift from that mindset?

Image depicting a large canyon between a man at a computer labeled security teams and a woman at a white board labeled "the business lines"

Moving beyond traditional thinking

Traditionally, when security practitioners have been forced to justify our value, the default line of thinking has been risk reduction. Security teams focus on the theoretical (albeit perhaps inevitable) impacts of breaches, attacks, etc. and we try to justify how our initiatives and processes reduce that risk. Then we try to quantify that by talking about the associated cost avoidance that comes from reducing instances of threats being realized. This approach is problematic because, for those on the business side, these discussions lack context. The whole concept is ethereal, that process of quantification is difficult and hard to defend under scrutiny. The result is that we fail to gain committed support from our peers in the executive suite (yes I said peers, as that is what they should be, but that’s a topic for a different article).

If my relatively young tenure leading the security strategy for the CRA division (CRA, Credit Ratings Agency) of my organization has taught me anything, it’s the necessity of connecting everything to business viability, revenue, and bottom-line profit. I too have spoken for years about then needs of security to enable the business. Working for a VAR, I understood it from the perspective of justifying security purchases. So I keyed in on that story line and how to motivate executives to spend money on the tools and processes we need. When I worked for a cloud native security company, I got to see it from the perspective of how security can enable and grow the DevSecOps culture that so many organizations seek to leverage. But now, working in a global Fortune 500 financial services org, I feel like I’ve finally been able wrap my 16 years of cybersecurity experience around the idea of how we truly connect the dots.

Thinking like a creditor

Imagine, for a moment, being a CISO and trying to demonstrate to a potential creditor, how your cyber security program positively impacts the creditworthiness of your organization. For many in the security space, this seems like an impossible or maybe even laughable objective. Maybe, if we do take it on, we fall back on our laurels of cost avoidance through risk reduction. How many creditors are going to be interested in that story line? I can assure you, very few. So ask yourself, how do we take it further?

When a creditor is looking at your organization, they want to know how likely it is you’ll be able to pay off your debts. Sure, avoiding unexpected and unplanned security expenses plays a part but in the grand scheme of things that’s a very small influence. We need to instead elevate our security program’s influence on the bigger picture. Creditors want to know where you are headed in terms of growth, investment, innovation, market placement. Where you are today actually is less relevant, where you’ve been even less still. Even where historical performance is used, it is done so as a predictor of how your organization will do in light of future challenges. Therefore, to credibly demonstrate the significant component our security programs represent in that bigger picture, we have to speak to those forward-looking concepts.

Finding the holy grail

This is essentially that “holy grail” of business enablement that is being discussed with greater frequency. To do this we as security leaders need to change our prioritization metrics. This means programs designed around less traditional priorities that are the ones that drive where the organization is headed:

Depiction of a hand shake with a word map in the hands with words such as cooperate, welcome, connect, integrate, communicate, assist, bridge, etc.

Product Agility – How is your security program creating the capability to bring products and enhancements to the market faster. Removing friction is important but do you actually make frequency of deployments, reduction of work-in-progress, and product/service stability KPI’s for your security program? If not, you’ve completely missed the boat on what “shared responsibility” (a core tenant of DevSecOps culture) means.
Innovation – Consider your standards and policies, are they built to ensure security and be flexible to allow exceptions, or do they actually encourage your business to find new ways to accomplish the same security objective? The former is hard enough for many security programs to understand. The latter is where we need to get to but very few make a focus. Netflix years back introduced the idea of the “paved road”. Making the secure path the easy path to deployment encourages secure practices. But what about introducing a higher level of empowered accountability. Encouraging our business lines to achieve an acceptable level of security in a way that best fits their business objectives?
Business viability – There are plenty fail-fast stories out there. Heck Alphabet has built an empire on the concept. But even when we do it fast, failure can still be expensive. Have you ever considered how your security program can support greater viability in the marketplace for your organization’s products and services? Security practitioners often consider reputational risks, but how can we move beyond and address other viability risks. Security programs need to focus on how we can improve customer acquisition. Can we remove friction from the customer onboarding process? Can we leverage our security expertise to better support customer success initiatives? Our programs should also consider how we can support brand alignment. Wouldn’t we all love to work for a business where security was a credible component of the brand? These are key priorities that should shape how we grow our security program.
Profitability – Sure, you’re probably thinking well that’s obvious. If I can reduce the cost of my program, I can make us more profitable. Well, if you’re a CISO working on budget that’s likely already stretched thin, is that really the approach you want to take to prop up the bottom line? Instead, make driving cost efficiency in the business line your priority and be sure to track it and demonstrate it. Drawing a connection between a security initiatives and reduced hard-dollar costs in the business line is a gold nugget that gains you support not just from the Executive Suite but also from the business lines themselves. Look for alignment between tool capabilities and business compliance requirements. Even better, build security processes and projects that eliminate the need for extensive business processes.

We as security leaders have to start thinking differently. We cannot continue to silo ourselves from the business and then preach about how we’re going to enable the business. We can’t continue to demand that security is everyone’s responsibility while abdicating our responsibility to making our development pipelines more efficient, our business practices stronger, and our marketing objectives more strategic. We share in that too. If we do this, we can start to get our organizations collaborating with us, leveraging our capabilities and thinking of us not as a necessary cost center but rather a true function of the business.

Three women at a table, possibly a job interview

A Promotions Gap

By Alyssa Miller

On February 9, 2020

In Community, Inclusion, Security Leadership

Are expectations in promotion helping fuel the “Skills Gap”

Search job postings and you’ll find there are plenty of companies bragging about how they invest in their people. Internally, organizations like to boast about having a culture of promoting from within. Indeed, there are no shortage of articles touting the value of internal promotions processes. Yet, I must wonder if these words translate into action. While I’m still gathering the data in my surveys, some respondents have also reached out to me directly to share their stories. Quite a few tell me about how difficult it is to transition internally into security-related roles.

Initially, this might seem anecdotal. Without analyzing objective data, it can be dangerous to draw conclusions. However, the stories I hear are numerous and I have also witnessed and experienced similar situations. How many of these companies that claim to prioritize developing and promoting their own people, actually walk that walk? I’m beginning to believe the percentages aren’t that good.

What it means to promote from within

Establishing a culture of promoting from within requires more than mere words. In fact, failing to credibly back up such claims with actions can be detrimental to employee engagement. It’s more than simply having a process for employees to internally search and apply for jobs. It requires a commitment to your people. This commitment requires a few things:

Truly investing in the skills development of your people
Changing the way you evaluate candidates for available opportunities
Shedding the idea of “critical” roles that lead to external hiring

Over my 25 years in professional roles, I’ve seen the good and the bad. I’ve watched companies provide training with no clearly defined path for career advancement. I’ve experienced hiring searches that failed to accurately assess the potential of internal candidates. I’ve even been witness to hiring practices that deemed a role too “critical” to take a chance on elevating an internal employee. These are mistakes and they lead to long timelines to fill crucial positions while also devaluing existing employees.

Quote by Richard Branson about taking chances on people and promoting from within.

Investing in employee development

I’ll start with the concept I believe is probably most easily understood. I also believe, again based only experience and hearsay, that it is the one that gets the most effort. Employee development is a concept that’s gotten increased attention in the last decade or so. More and more, organizations are coming to understand the business value of developing their employees.

Training seems to be one of the key areas that gets the focus when we talk employee development. Many organizations have formal training programs, invest in e-learning technologies, and some even set aside specific per-employee training budgets. This is great, however it only scratches the surface of what is necessary. To truly develop your employees means preparing them for their next role and providing a clear vision of what that next role can be and how they can get there.

This requires active leadership participation. It requires the organization first and foremost to have mature job descriptions and provide clear expectations. Human Resources professionals can often tell you stories of struggling to get support for this foundational element. Taking the next step of succession planning is also crucial. How will a role be filled when it becomes vacant? Leaders should constantly be working to identify “who’s next”. Ultimately, that succession planning then has to lead to action. Leaders need to be grooming those planned successors. Empowering employees through challenging assignments that provide visibility into key aspects of what that next role entails. Sadly these last two steps are often neglected or avoided all together.

So succession planning and development requires us to identify candidates by potential. That leads into the second point, we need to think about our people and how they fit open roles in a different way.

Evaluate talent differently

This is a concept that from my experience needs a lot of attention in most organizations. If an company is looking to fill a role, how they assess the internal candidates needs a unique approach. Far too the same experience and skills based lens is used for both internal and external candidates, but that just doesn’t work. When evaluating external candidates, a reasonable mix of experience that matches the job role is expected. For instance, the expectation that a candidate for a senior manager or director role has previous “managing managers” experience. However, the same bar cannot be used for internal candidates if you’re invested in developing your people.

Internal candidates are often direct reports of the role being filled or moving into that role from another area of the business. So it can’t be expected that they’ll have the experience of someone whose worked that role before. Organizations need to assess internal candidates based on potential. But how does the leadership team assess potential. The Harvard Business Review published a terrific article on this in 2017. The basic premise is leaders need to be constantly aware of those employees whose performance consistently elevates that of those around them. It’s a combination of ability, drive, and social skills that should be prioritized above past experience or demonstrated role-specific skills.

Unfortunately from the stories I’ve heard, my own experiences, and indeed the glut of open security-related leadership roles currently on job boards, companies are failing in this crucial aspect. And it also leads to the third point.

No role is THAT critical

I’ve watched numerous internal security candidates get rejected or ignored and jobs posted externally because the role was deemed “too crucial”. In particular within security, there seems to be a belief that certain roles are so important that the organization must find a “step-in” candidate (someone who’s done it before and can step in and run with things day one). The problem is this prolongs the candidate search in two ways. First, it eliminates the majority of high performing internal candidates who could be very successful in the role. Second, it shrinks the available pool of external candidates since, as studies show, the majority of job seekers are looking for new challenges. Few are going to be attracted to a job doing what they’ve already been doing already.

Promoting from within requires the understanding that high-performing candidates thrive in critical roles that stretch their skills or demand them to develop new skills. Pushing back on or ignoring internal candidates because a role is “too critical” to fill internally tells your teams a lot about how much you value their skills and abilities. It says you don’t trust them, you don’t believe in them, and that the only jobs they’re qualified to fill are somehow less crucial. This is not how you create a culture of committed high performance.

About that skills gap…

When I see security roles open for long periods of time, it causes me to question the organization. Sure many jobs need to be filled externally, especially with growing companies that are seeking to add resources. But when there’s a role that sits open for 6 months, a year, or longer, especially if it’s a senior or leadership role, one has to ask “are there no internal high-performers who could step into that role?” The broader question becomes once again, are we experiencing a skills gap, or are we just looking for the wrong skills or in the wrong places?

** Footnote: Some may take issue with certain aspects above in the context of equal employment opportunity requirements and such. Nothing I’m suggesting above is in conflict with those requirements, I simply didn’t go the extra mile of explaining how as that a lengthy discussion on its own.