I’ve worked on complex IT problems for many years and, from my vantage point, the role of security in business growth has remained fairly consistent. Business leaders make a plan to move the organization in a particular way, the project is scoped, vendors are selected, work is executed and then, just before it’s launched or soon after, the security team is brought in to assess the risks and make recommendations. This has worked well for many years. However, as businesses evolve, this traditional approach to security may no longer suffice.
Many businesses are rapidly adopting cloud-native technologies to reimagine and improve their users’ experiences either through direct connection or by improving processes internally. Once an application is built and delivered, it can become much more difficult to go back and fix security issues. Each function of the business can have its own — and, at times, competing — priorities, making it harder to retrofit security once the project has moved on.
I believe this is the real problem security leaders are facing right now. Not the latest threats. Not the risks inherent in a fragmented, hybrid multicloud world. Rather, they need to position security as a strategic and essential function of every part of the business.
Shifting the Cultural Definition of Security
The impetus is on security leaders to change how security is perceived within the business. They need to understand and internalize the language of business, then take the initiative to push for involvement at each stage.
This is probably not news to most security leaders. They know and see the challenges they face trying to adjust security during the later stages of development. I think the bigger question most leaders ask themselves is “how?”
Cultural change on its own is never easy. Then, when you add in the security challenges inherent with digital transformation — too many tools, too much data and a growing skills gap — repositioning security as a strategic partner seems all the more daunting. What are some steps security teams can take?
- Reduce complexity and simplify your ecosystem. Most security professionals I know are working tirelessly to address and manage the threats aimed at their business. They are investing in new tools and services, revisiting processes, and spending long hours trying to integrate these things to gain full visibility into their risk profile. For organizations, reducing complexity in their security ecosystem can help them get a more comprehensive view of their security data and the impact of compromise.
- Respond faster and prioritize better. Security teams are managing potentially thousands of events each day, and coordinating responses across dozens of tools. To successfully navigate this morass, security leaders need to find a way to orchestrate security responses across their teams and automate actions where possible. This can help save time and allows security teams to focus on higher-value activities.
- Be part of a vendor ecosystem that embraces open source. To truly change the conversation — and the culture — of security in the business, teams can look at products and services that interoperate seamlessly within a larger ecosystem. We’ve seen in the software industry that ecosystems based on open standards and open-source components are focused on business outcomes. The same is true for the security industry. Working with security vendors that embrace open-source philosophies can help these teams reduce their reliance on individual vendors and help improve their overall security posture.
Changing the culture of an organization is not an easy undertaking. Not only does it involve multiple departments, each with their own priorities, budgets and projects, it also involves a shift in thinking. But challenging as it is, I believe it’s necessary. Taking small steps to help reduce complexity in your security ecosystem, orchestrate security responses and embrace open source can help organizations better address the threats aimed at their business. It can also provide the necessary time and focus for security leaders to change the conversation about security and what it can do for the business.
Vice President of Product Management, IBM Security