Why is your risk remediation plan getting ignored?
Do you know how to turn security into a business enabler? This is a challenge I’ve faced consistently throughout my career. As I’ve had plenty of conversations with other CISOs recently, I’ve found that it’s ultimately one of the key challenges for them as well.
If you’re a security leader, you might be familiar with the scenario where you identify the most pressing security risks for your business, present those risks and a remediation plan at your board meeting, and then leave that meeting feeling great because the board has approved your plan and said, “You have our full support, security is very important to us.”
But then, almost nothing happens. The quick fixes are implemented, but the more challenging, long-term actions aren’t getting done.
So, why is your plan getting ignored—even after you gained approval and backup from executives? And how can you overcome this dilemma?
The culprit: competing priorities
Your plan is likely being neglected because your company (like virtually all organizations) usually has competing priorities. You looked at costs, you looked at the acceptable risk, but you forgot to consider the speed of the business.
Every measure you take has a cost attached to it, but also an impact on the speed of the business.
Let’s say you have a digital product that is delivering value to your organization (e.g., the revenue, the growth).
If it’s a digital product, the engineering organization is usually delivering that value with new features and new functionalities. As soon as you put a technical measure in place to remediate risks, it may slow down the engineering. If it does, that will have an impact on the business.
Let’s say you go to the board and tell them you want to remediate a risk, and then they decide that the remediation you propose comes with an acceptable cost. Then, 30 minutes later, the CTO enters the room and asks for support as the development needs to speed up because they have to be better and faster than their competition in the market.
This results in competing priorities where you—the security leader—often won’t win over the business.
Building alliances is key
The key challenge (or the opportunity) as a CISO is taking that impact on speed into account in your risk management. To do that, you have to build alliances—not just with the CFO to look at the costs, but also with the CTO.
If the CTO (or someone in a similar position like the VP of engineering or CPO) is delivering new functionalities every 15 minutes via the CI/CD pipeline, and you come to an agreement that a slow down of two minutes is acceptable, then you’ve got your alliance and window of opportunity for security. It’s up to you to find the best measures that fit into these accepted two minutes.
How can you avoid impacting speed and cost?
Now, the magic comes in working with your CTO to determine how your remediation plan could have less impact on the CI/CD pipeline while also accomplishing your security goals.
For example, you could consider prioritizing measures that have less impact on the speed, or different measures that can be better integrated in your CI/CD pipeline, which are better understood by your developers and cause less friction for them because they don’t have to jump from tool to tool.
Small adjustments like these can be game changers because they can help limit risks while also not affecting the speed of the business.
To limit costs, you need to consider a few things as well. Do you want to have many point solution tools or cover your needs with less tools? Can you decentralize your security organization? This might help you overcome a talent shortage, and you might not need to hire additional employees.
Do you need the security operations center (SOC) or can you externalize it? From a CISO’s perspective, you should spend more time finding ways to reduce costs and avoid slowing the business than focusing on the real risk, because once you have identified and measured the risk, your priority should be to find the measures that are best suited for your company.
That’s how you become a business enabler: You implement the security measures that fit best for your business. There is a way to do more security with less costs or more security with less impact on the speed.
What’s most important to your business?
You need to understand what’s important to your company. For me, speed is more essential than cost. Very often, let’s say if you are in a scale-up company that has a series B funding: It’s usually not costs that are a driving priority—it’s your product. So that’s a scenario where you might want to prioritize speed.
In many public and large companies it’s more a cost and reputation driven approach, so there you might look first at cost and also the reputation impact that a potential security incident might have.
Regardless, you need to always look at both dimensions. You will have a successful plan that will be implemented after you leave your board meeting, if you have built the alliance upfront with the CTO and the CFO.
How to put it into action
- Look at security as a data problem. One core pillar to success is to treat security more as an engineering and data problem. Treating it as such will help you overcome blockers and boundaries.
- Automate. The more you can automate, the fewer costs you have, and the easier it is for your developers. Try to find fewer and more effective tools to accomplish what you need. When you’re using fewer tools, you’re making your processes lean and less complex, along with fewer contracts to pay for and keep up with.
- Leverage data. You can use machine learning very effectively to help you process large amounts of data. With that, you’ll find new and more effective ways to do security. Machine learning can help you write rules, patterns, and easily tune them all the time. It only works well if you can process all the data you have and if you have enough data.
Connect with me
Hopefully this advice will help you turn security into a business enabler at your company. If you have tips or lessons learned about implementing effective security plans, I’d love to hear them. Please reach out to me on LinkedIn to chat.
With more than 20 years of international specialist experience, including CISO roles in Switzerland, Andy Schneider is the Field CISO, EMEA, at Lacework and is a member of several advisory boards. He holds several professional certifications, such as the C-CISO, CISM, CISSP, CRISC, and is also certified in ISO 27001 and ITIL V3.