I’ve worked on complex IT problems for many years and, from my vantage point, the role of security in business growth has remained fairly consistent. Business leaders make a plan to move the organization in a particular way, the project is scoped, vendors are selected, work is executed and then, just before it’s launched or soon after, the security team is brought in to assess the risks and make recommendations. This has worked well for many years. However, as businesses evolve, this traditional approach to security may no longer suffice.

Many businesses are rapidly adopting cloud-native technologies to reimagine and improve their users’ experiences either through direct connection or by improving processes internally. Once an application is built and delivered, it can become much more difficult to go back and fix security issues. Each function of the business can have its own — and, at times, competing — priorities, making it harder to retrofit security once the project has moved on.

I believe this is the real problem security leaders are facing right now. Not the latest threats. Not the risks inherent in a fragmented, hybrid multicloud world. Rather, they need to position security as a strategic and essential function of every part of the business.

Shifting the Cultural Definition of Security

The impetus is on security leaders to change how security is perceived within the business. They need to understand and internalize the language of business, then take the initiative to push for involvement at each stage.

This is probably not news to most security leaders. They know and see the challenges they face trying to adjust security during the later stages of development. I think the bigger question most leaders ask themselves is “how?”

Cultural change on its own is never easy. Then, when you add in the security challenges inherent with digital transformation — too many tools, too much data and a growing skills gap — repositioning security as a strategic partner seems all the more daunting. What are some steps security teams can take?

  • Reduce complexity and simplify your ecosystem. Most security professionals I know are working tirelessly to address and manage the threats aimed at their business. They are investing in new tools and services, revisiting processes, and spending long hours trying to integrate these things to gain full visibility into their risk profile. For organizations, reducing complexity in their security ecosystem can help them get a more comprehensive view of their security data and the impact of compromise.
  • Respond faster and prioritize better. Security teams are managing potentially thousands of events each day, and coordinating responses across dozens of tools. To successfully navigate this morass, security leaders need to find a way to orchestrate security responses across their teams and automate actions where possible. This can help save time and allows security teams to focus on higher-value activities.
  • Be part of a vendor ecosystem that embraces open source. To truly change the conversation — and the culture — of security in the business, teams can look at products and services that interoperate seamlessly within a larger ecosystem. We’ve seen in the software industry that ecosystems based on open standards and open-source components are focused on business outcomes. The same is true for the security industry. Working with security vendors that embrace open-source philosophies can help these teams reduce their reliance on individual vendors and help improve their overall security posture.

Changing the culture of an organization is not an easy undertaking. Not only does it involve multiple departments, each with their own priorities, budgets and projects, it also involves a shift in thinking. But challenging as it is, I believe it’s necessary. Taking small steps to help reduce complexity in your security ecosystem, orchestrate security responses and embrace open source can help organizations better address the threats aimed at their business. It can also provide the necessary time and focus for security leaders to change the conversation about security and what it can do for the business.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read