TL;DR: Security a few years ago was known as the “Department of No!” As security evolved into a true risk management discipline learning about the business and its risk appetites, it gained insights across the organization. The insights gathered led to organization-wide intuitions. When ignored, the intuitions turn into “I told you so”, but those intuitions can instead be leveraged as a significant business advantage if security has the opportunity to collaborate with the business.
Iteration 1: Just Say No
Up until 5-10 years ago security was known as the “Department of No”. The mantra became not to tell security anything because they would reject your project as it was about to launch. Security was the ultimate business inhibitor. The negative association became the equivalent of having a barking dog in your front yard: no one wants to visit that house even if it’s filled with candy/money/etc.
The origin of this type of behavior was that security was usually relegated to playing cleanup after work was completed, and usually finding out about initiatives late in the process. This led to a vicious cycle of security being pushed down the funnel, seen as a technology function that would fix problems when they came up, and rarely thought of outside of being the tech boogie man who would tell you that the world was about to burn.
To complicate matters, security teams were selecting tools that solved point problems but rarely made life easier. If anything, the solutions led to slower machines, more complicated workflows, and less functionality. All of these factors led the business to stay away from security as much as possible lest they kill the business’ momentum.
Iteration 2: Collaboration
The next iteration of security became more collaborative. Security leaders conceived of building comprehensive and cohesive security programs that provide visibility into risk across the organization. As part of building a cohesive program, security teams started working on running alongside the product and engineering teams.
Often times, friction would be introduced into the process as the teams operating in a “move fast and break things” mentality didn’t understand risk. Furthermore, security teams didn’t know how to adapt to these fast-moving teams willing to take large amounts of risk. Those teams viewed the risk-taking as perfectly acceptable because they would just fix any issues with another release right away.
This all left security a bit off balance but trying to find ways to work with the business and engineering. Around this phase, security started to realize that the business as usual was not going to cut it or they would end up in a never-ending game of catch up.
Iteration 3: Transformation
The current iteration of security is one where the security organization knows how to adapt to fast moving businesses. Most companies at this point are either transformed or in the midst of a “digital transformation”, and adept security teams have learned how to keep pace. Security teams are then able to think further ahead once they are operating alongside the transformation teams. The security organizations in transformation phase are building tools, making security more seamless, and identifying ways to make security the path of least resistance.
Security in the transformation phase is a grease for the motor of the company making customer experiences more effective and secure while also improving the company’s security and risk posture. Many organizations are satisfied with security in this state because it’s already far better than it used to be. However, I would challenge security leaders and their company’s leadership teams to try taking it to the next level.
Iteration 4: Intuition and Insight
As security teams become more collaborative and strategic, they amass information about the business that generates unique perspectives about the health and direction of the company. Along with those insights, comes the human component. As I mentioned previously, security is much more of a human problem with some technical solutions rather than a technical challenge with problematic humans.
In order to reach this phase, security teams are already focusing on people within the company and customers in order to find better ways of moving quickly. Learning about people’s motivations and tendencies leads to a different perspective. The result is that security teams become armed with a psychological understanding of the organization. Couple the human understanding with the organizational objectives and you end up with perception and intuition.
Iteration 5: Security as a Business Advantage
Armed with this perception and intuition, security teams start sharing their thoughts on risks and potential potholes/speed bumps. If the perspectives go unheeded, then there is a strong likelihood that within 6 months the predicted event can happen and then becomes the “I told you so.”
Some think that security professionals relish the “I told you so” moments. Let me be the first to say that we do not enjoy this at all. “I told you so” means that we did not get our point across or that our credibility is not strong enough. The CISO’s challenge becomes gaining the trust of the other business leaders that their observations are accurate, relevant, and credible.
The way to mitigate against the “I told you so” moments is by implementing a strong risk management program. The goal of the program is to document the risks and risk treatment plans. Risk management is as much about helping the business make conscious decisions strategically as it is about the CISO ensuring that their observations are heard.
So how do you know if your CISO is in tune with the business? Are they identifying and measuring the risks that are truly relevant? Or do you have a doomsday soothsayer that looks more like Chicken Little claiming the sky is falling?
CISO Accuracy Metric: The Oracle Index
I would like to propose that we start tracking a metric of the accuracy and frequency with which security is able to identify risks, and to what extent those risks come to impact the business. Often times the CISO is left to shout into the wind, they are left exasperated that no one listened, and then they have the repeated “I told you so” moments. Instead let’s track how often the CISO was correct in their understanding of the business and the risks it faces, and as that index rises then so does their contribution to business direction.
CISOs with high Oracle Index scores will be the ones most in tune with the business and the risks it faces, and the business can benefit from those insights.