I’ve worked on complex IT problems for many years and, from my vantage point, the role of security in business growth has remained fairly consistent. Business leaders make a plan to move the organization in a particular way, the project is scoped, vendors are selected, work is executed and then, just before it’s launched or soon after, the security team is brought in to assess the risks and make recommendations. This has worked well for many years. However, as businesses evolve, this traditional approach to security may no longer suffice.

Many businesses are rapidly adopting cloud-native technologies to reimagine and improve their users’ experiences either through direct connection or by improving processes internally. Once an application is built and delivered, it can become much more difficult to go back and fix security issues. Each function of the business can have its own — and, at times, competing — priorities, making it harder to retrofit security once the project has moved on.

I believe this is the real problem security leaders are facing right now. Not the latest threats. Not the risks inherent in a fragmented, hybrid multicloud world. Rather, they need to position security as a strategic and essential function of every part of the business.

Shifting the Cultural Definition of Security

The impetus is on security leaders to change how security is perceived within the business. They need to understand and internalize the language of business, then take the initiative to push for involvement at each stage.

This is probably not news to most security leaders. They know and see the challenges they face trying to adjust security during the later stages of development. I think the bigger question most leaders ask themselves is “how?”

Cultural change on its own is never easy. Then, when you add in the security challenges inherent with digital transformation — too many tools, too much data and a growing skills gap — repositioning security as a strategic partner seems all the more daunting. What are some steps security teams can take?

  • Reduce complexity and simplify your ecosystem. Most security professionals I know are working tirelessly to address and manage the threats aimed at their business. They are investing in new tools and services, revisiting processes, and spending long hours trying to integrate these things to gain full visibility into their risk profile. For organizations, reducing complexity in their security ecosystem can help them get a more comprehensive view of their security data and the impact of compromise.
  • Respond faster and prioritize better. Security teams are managing potentially thousands of events each day, and coordinating responses across dozens of tools. To successfully navigate this morass, security leaders need to find a way to orchestrate security responses across their teams and automate actions where possible. This can help save time and allows security teams to focus on higher-value activities.
  • Be part of a vendor ecosystem that embraces open source. To truly change the conversation — and the culture — of security in the business, teams can look at products and services that interoperate seamlessly within a larger ecosystem. We’ve seen in the software industry that ecosystems based on open standards and open-source components are focused on business outcomes. The same is true for the security industry. Working with security vendors that embrace open-source philosophies can help these teams reduce their reliance on individual vendors and help improve their overall security posture.

Changing the culture of an organization is not an easy undertaking. Not only does it involve multiple departments, each with their own priorities, budgets and projects, it also involves a shift in thinking. But challenging as it is, I believe it’s necessary. Taking small steps to help reduce complexity in your security ecosystem, orchestrate security responses and embrace open source can help organizations better address the threats aimed at their business. It can also provide the necessary time and focus for security leaders to change the conversation about security and what it can do for the business.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…