Why Security Needs to be the “Department of Yes”
William Grove Feb 25,2020
The cybersecurity world is more complex than ever. Everything has gone digital, traditional security boundaries have vanished, workforces are mobile and internationally dispersed and the number of regulatory mandates that the CISO has to navigate is dizzying. Add to that the need to secure an increasing number of rapidly spun-up innovations and their reputation for pushback shouldn’t be surprising.
Security is seen as the team that says “no” and stands in the way of progress. This needs to change. The CISO, and the security function as a whole, needs recalibration. They need to become “the department of yes.”
Why Security Has Become the “Department of No”
Of course, the perception that many have about the CISO is unfair. The CISO knows better than anyone just how impactful and transformative the right technology can be. Without being able to automate change management processes, for example, their team would be wasting a lot of time on manual logging and testing. But they also know that any new investment widens the perimeter of the attack surface, can bring in a number of new risks and introduces further fragmentation to their already complex hybrid networks.
Most of the time, the CISO isn’t actually saying “no.” What they’re saying is, “let’s take some time to make sure that this new investment is properly secured and doesn’t introduce unnecessary risk to our organization.” And while they’re trying to say that, they’re thinking about how that one request, and many more like it, are adding a greater burden to their already heavy workloads. They’re feeling the stress. And this stress can make a request to take a few steps back to properly map out a deployment plan very much sound like a “no.”
In most organizations, a lack of network visibility combined with inconsistent security measures tied to new technology deployments is the root cause of security being seen as “the department of no.” If this perception is going to change, then the CISO needs to ensure that they can gain full network visibility and predictive modeling capabilities. If they’re able to see everything that needs to be protected plus analyze and predict where risks and vulnerabilities may arise, they will be more confident in their team’s abilities to deploy and protect new network elements. It’s the first step to security becoming “the department of yes.”
The Danger of Saying No
One example of how misalignment harms organizations is the misconfiguration of cloud services. Many organizations work with an assumption that cloud services are secure, but if their access points aren’t properly configured then they could end up ushering in any number of new threats. Insufficient cloud security protocols and a lack of testing are leaving many businesses exposed and this trend will continue to gather pace if cloud deployments aren’t fully within the purview of the CISO.
Which is why it’s so important for security to be seen as “the department of yes.” If they are known as a driving force behind ensuring the success of any innovation, then they will improve their position within their organization and be able to influence future transformation strategies.
Becoming “The Department of Yes”
The first step towards becoming “the department of yes” is deeply rooted in gaining complete and continuous network visibility to allow for aggregation of all relevant data needed to effectively model the network. From there, security teams will be able to assure their business’ current security posture and can be confident in their ability to adapt to changes as and when they come.
On top of this, the CISO needs to have a context-rich understanding of their security environment. They need analytics which gives them insight into potential risks and their compliance status at all times.
Finally, they need to ensure that they are making the most efficient use of their existing resources. The best way to do this is by introducing intelligent automation that will save them time and money as well as improving the outcome of processes and freeing up teams so that they can focus on more strategic tasks.
To shed its negative reputation, security departments need to stop operating on the back foot. When they know that they’re in control of their entire hybrid estate, they’re in a much better position to be able to say “yes.”.