November 18, 2019 By Aarti Borkar 3 min read

I’ve worked on complex IT problems for many years and, from my vantage point, the role of security in business growth has remained fairly consistent. Business leaders make a plan to move the organization in a particular way, the project is scoped, vendors are selected, work is executed and then, just before it’s launched or soon after, the security team is brought in to assess the risks and make recommendations. This has worked well for many years. However, as businesses evolve, this traditional approach to security may no longer suffice.

Many businesses are rapidly adopting cloud-native technologies to reimagine and improve their users’ experiences either through direct connection or by improving processes internally. Once an application is built and delivered, it can become much more difficult to go back and fix security issues. Each function of the business can have its own — and, at times, competing — priorities, making it harder to retrofit security once the project has moved on.

I believe this is the real problem security leaders are facing right now. Not the latest threats. Not the risks inherent in a fragmented, hybrid multicloud world. Rather, they need to position security as a strategic and essential function of every part of the business.

Shifting the Cultural Definition of Security

The impetus is on security leaders to change how security is perceived within the business. They need to understand and internalize the language of business, then take the initiative to push for involvement at each stage.

This is probably not news to most security leaders. They know and see the challenges they face trying to adjust security during the later stages of development. I think the bigger question most leaders ask themselves is “how?”

Cultural change on its own is never easy. Then, when you add in the security challenges inherent with digital transformation — too many tools, too much data and a growing skills gap — repositioning security as a strategic partner seems all the more daunting. What are some steps security teams can take?

  • Reduce complexity and simplify your ecosystem. Most security professionals I know are working tirelessly to address and manage the threats aimed at their business. They are investing in new tools and services, revisiting processes, and spending long hours trying to integrate these things to gain full visibility into their risk profile. For organizations, reducing complexity in their security ecosystem can help them get a more comprehensive view of their security data and the impact of compromise.
  • Respond faster and prioritize better. Security teams are managing potentially thousands of events each day, and coordinating responses across dozens of tools. To successfully navigate this morass, security leaders need to find a way to orchestrate security responses across their teams and automate actions where possible. This can help save time and allows security teams to focus on higher-value activities.
  • Be part of a vendor ecosystem that embraces open source. To truly change the conversation — and the culture — of security in the business, teams can look at products and services that interoperate seamlessly within a larger ecosystem. We’ve seen in the software industry that ecosystems based on open standards and open-source components are focused on business outcomes. The same is true for the security industry. Working with security vendors that embrace open-source philosophies can help these teams reduce their reliance on individual vendors and help improve their overall security posture.

Changing the culture of an organization is not an easy undertaking. Not only does it involve multiple departments, each with their own priorities, budgets and projects, it also involves a shift in thinking. But challenging as it is, I believe it’s necessary. Taking small steps to help reduce complexity in your security ecosystem, orchestrate security responses and embrace open source can help organizations better address the threats aimed at their business. It can also provide the necessary time and focus for security leaders to change the conversation about security and what it can do for the business.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today