November 18, 2019 By Aarti Borkar 3 min read

I’ve worked on complex IT problems for many years and, from my vantage point, the role of security in business growth has remained fairly consistent. Business leaders make a plan to move the organization in a particular way, the project is scoped, vendors are selected, work is executed and then, just before it’s launched or soon after, the security team is brought in to assess the risks and make recommendations. This has worked well for many years. However, as businesses evolve, this traditional approach to security may no longer suffice.

Many businesses are rapidly adopting cloud-native technologies to reimagine and improve their users’ experiences either through direct connection or by improving processes internally. Once an application is built and delivered, it can become much more difficult to go back and fix security issues. Each function of the business can have its own — and, at times, competing — priorities, making it harder to retrofit security once the project has moved on.

I believe this is the real problem security leaders are facing right now. Not the latest threats. Not the risks inherent in a fragmented, hybrid multicloud world. Rather, they need to position security as a strategic and essential function of every part of the business.

Shifting the Cultural Definition of Security

The impetus is on security leaders to change how security is perceived within the business. They need to understand and internalize the language of business, then take the initiative to push for involvement at each stage.

This is probably not news to most security leaders. They know and see the challenges they face trying to adjust security during the later stages of development. I think the bigger question most leaders ask themselves is “how?”

Cultural change on its own is never easy. Then, when you add in the security challenges inherent with digital transformation — too many tools, too much data and a growing skills gap — repositioning security as a strategic partner seems all the more daunting. What are some steps security teams can take?

  • Reduce complexity and simplify your ecosystem. Most security professionals I know are working tirelessly to address and manage the threats aimed at their business. They are investing in new tools and services, revisiting processes, and spending long hours trying to integrate these things to gain full visibility into their risk profile. For organizations, reducing complexity in their security ecosystem can help them get a more comprehensive view of their security data and the impact of compromise.
  • Respond faster and prioritize better. Security teams are managing potentially thousands of events each day, and coordinating responses across dozens of tools. To successfully navigate this morass, security leaders need to find a way to orchestrate security responses across their teams and automate actions where possible. This can help save time and allows security teams to focus on higher-value activities.
  • Be part of a vendor ecosystem that embraces open source. To truly change the conversation — and the culture — of security in the business, teams can look at products and services that interoperate seamlessly within a larger ecosystem. We’ve seen in the software industry that ecosystems based on open standards and open-source components are focused on business outcomes. The same is true for the security industry. Working with security vendors that embrace open-source philosophies can help these teams reduce their reliance on individual vendors and help improve their overall security posture.

Changing the culture of an organization is not an easy undertaking. Not only does it involve multiple departments, each with their own priorities, budgets and projects, it also involves a shift in thinking. But challenging as it is, I believe it’s necessary. Taking small steps to help reduce complexity in your security ecosystem, orchestrate security responses and embrace open source can help organizations better address the threats aimed at their business. It can also provide the necessary time and focus for security leaders to change the conversation about security and what it can do for the business.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today