//////////////////////
FINAL WORD
Reframing the
security team as the
‘Department of Yes’
Peter Margaris, Head of Product Marketing at Skybox Security,
tells us that the CISO and their security teams have an image
problem. “The CISO isn’t a Grinch-like figure who’s hellbent on
preventing progress within their organisation,” he says.
T
his is an era of tectonic change for
many businesses: they’re shedding
increasingly archaic processes and
practices and embracing innovation. In
many ways, Digital Transformation initiatives
should be celebrated. These are projects
that exist to make life easier for employees,
improve operational efficiencies, drive down
costs and expand business growth. But there
is a sting in the tail and it’s hurting the CISO
and their security team. The CISO has an
image problem.
Digital Transformation projects are
expensive. They’re complicated. They
have a lot of moving parts. So when a new
investment in, say, a public cloud service
gets the green light it makes sense that the
team responsible for its deployment is keen
to enjoy its benefits as soon as possible.
The perception of any project’s success can
be hindered if it takes too long to deploy,
which is why DevOps teams are increasingly
reluctant to involve the security department
in the process. They’re seen as a roadblock,
as a team which says ‘no’ and stands in the
way of progress. This needs to change. The
CISO and the security function as a whole,
needs recalibration. They need to become
‘The Department of Yes.’
Why security has become the
‘Department of No’
Of course, the perception that many have
about the CISO is unfair and lacks nuance.
The CISO isn’t a Grinch-like figure who’s
hellbent on preventing progress within their
organisation. They know better than anyone
just how impactful and transformative the
right technology can be. Without being
able to automate change management
82
INTELLIGENTCIO
processes, for example, their team would
be wasting a lot of time on manual logging
and testing. But they also know that any
new investment widens the perimeter
of the attack surface and can bring in a
number of new risks and introduces further
fragmentation to their already complex
hybrid networks.
Most of the time, the CISO isn’t actually
saying ‘no’. What they’re saying is: ‘Let’s
take some time to make sure that this
new investment is properly secured and
doesn’t introduce unnecessary risk to our
organisation.’ And while they’re trying to say
that, they’re thinking about how that one
request and many more like it, are adding
a greater burden to their already heavy
workloads. They’re feeling the stress. And this
stress can make a request to take a few steps
back to properly map out a deployment plan
very much sound like a ‘no’.
What many people don’t understand is just
how difficult the CISO’s job has become
over the last decade. Everything has gone
digital, proliferating technology and systems
that produce and manage critical business
data. Traditional security boundaries have
vanished and they are operating with
network complexities that would have been
previously unimaginable.
Internationally dispersed, mobile workforces
and outsourcing have become commonplace
within many organisations, creating countless
connections that span multiple continents. The
number of regulatory mandates that the CISO
has to navigate is dizzying. Complexity is the
CISO’s number one problem – it’s only natural
that they may seem resistant to anything that
may further compound this issue.
www.intelligentcio.com