TL;DR: Security, if leveraged and led properly, should help drive your business and increase speed of delivery. Listen to your security leader to identify opportunities and risks, and determine how you will use that information to be the best.

As I have mentioned several times in other posts, security shouldn’t just be an insurance policy. Many see it as a pipe dream or wishful thinking that security could ever be part of the strategy or a revenue driver. I would argue that if you’re not seeing the opportunity then you’re not looking hard enough. Security should always have a way of growing the bottom line as well as the top line. Let’s dive into how this can happen.

Sales

The security team should be tightly coupled with your sales team, whatever shape that may take. That means you need a CISO who can represent the business and talk to human beings, which may sometimes be a tall order. If you are a particularly sales heavy organization then perhaps that means a PR CISO archetype is needed to help with sales growth.

Sales is also about decreasing the sales cycle. One way is through great representation mentioned above, but another is by greasing the skids when the customer inevitably does a risk review. This can be accomplished by either having really great canned responses available for rapid turnaround or by obtaining a security certification that can be presented to your customers (e.g. ISO 27001, SSAE16 SOC1/2/3). Rapid turnaround of these requests can help security build a closer relationship with the sales team and both will be more successful as a result.

Speed Up Delivery

The goal of a business is to deliver product/services as quickly as possible to make money. The question is: how will security help make that happen? Security can easily try to slow things down but then people will go around security. Instead let’s look at some mantras that help make this possible.

1. “Shift Left (<<<)”: This has now become somewhat cliche but at the same time it’s still accurate. Shifting left implies making security part of the development/product lifecycle earlier on rather than becoming the last step in the lifecycle. The more security is involved at the beginning, the better they can assist in keeping things moving along. There’s also the possibility that security can help find efficiencies.

1. “Embedding”: Security can dedicate some application security (or otherwise relevant security team) to help build the products themselves. Rather than standing on the sidelines pointing out pitfalls and threat models, instead help to execute on the work and roll up your sleeves. You will see that not only will the products be better, but engineering teams will appreciate the partnership. Over time, engineers will start engaging security on how the security team can help them deliver better and faster rather than finding out about projects when it’s already too late.

Identify Business Opportunity

It’s one thing to be a consumer of the business’ direction, it’s another to be a part of the business’ direction. While this couples well with the sales component mentioned above, this is more about how security helps ideate and identify business/product opportunities.

The ability to help identify business opportunities speaks to security’s role in the company and the ability of the CISO to truly understand the business. How can security adjust the lens through which the business looks to identify previously hidden opportunities. I have used this methodology in the past to identify customer markets that are parallel to the primary customer base, and identify products that can serve this new customer base along with provide benefit to the existing target market.

End Goal and Metrics

Thematically speaking, finding ways to grow the business means that you have a business-aligned security program. This means that there must be some metrics to capture about the impact security is having on growing the business. The metrics can show how much revenue was captured earlier as a result of a decreased sales cycle time, or the revenue generated by a feature built by security.

The goal is to show that security is not just a cost center but also a revenue generator. The shift helps the business contextualize security’s impact differently.