A locked door. A castle moat and drawbridge. An onion? These are all common analogies used to explain how cybersecurity protects people and information. All of them envision security as a barrier to keep the good in and the bad out. But has this mindset limited how the security organization contributes to the overall business?
Security leaders have the opportunity to become business leaders that enable innovation and resilience. One of Evanta’s top CISO focus areas for 2022 is building a culture of security to enable smart, secure decision-making.1 However, creating that culture may require a perception shift in many organizations.
Security teams also can contribute more to the business if they get the chance. These teams encompass a broad range of skills and experiences that go beyond security, such as process optimization or development, but they’ve been pigeonholed in the narrow scope of “security.”
Cybersecurity as a business function suffers from an image problem, often being viewed as an external protector but an internal barrier. The negative perception has been built up over years of interactions to include thoughts like:
- Security is the team that always says “no”
- Their policies make doing my job harder
- The tools make my computer unusable
In many cases, these statements are hyperbolic, but it can be hard to change other people’s perceptions. With the right strategy and some hard work, security can go from being a benevolent adversary to a valuable partner that makes doing business easier. Here are three things a security organization can do to improve its image:
- Develop unconventional partnerships
Changing perception is something your organization’s marketing department specializes in. Build a relationship with them to get help creating a strategy, and start thinking of security as a service to market within the organization. Part of your plan should include defining your target audience and your desired end goal. Gather feedback to figure out what your audience thinks today in order to guide your strategy and measure success. Your security marketing plan can have a dual mission: both to improve the team’s image and also help educate employees about security awareness.
Don’t forget to make the partnership equal. Do you have data the marketing department might find helpful? Are there policies impacting their work for which you can make exceptions? They can become the first group in the organization to change their view of security.
- Shift from “no” to “yes, and…”
In improv theatre, the rule is to never say “no,” as that stops a scene dead in its tracks. Instead, you reply “yes, and…” to build on the scene and move it forward. It’s less straightforward in security, but a big way to help shift perception is never to jump straight to no. Is there a compromise or limited exception that can be offered? Is it simply a case of not now, but later? And if no is the only answer, explain why.
“Yes, and…” also presents a great opportunity to offer other ways the security team can start building a reputation as a trusted advisor. When responding to a request, you can also help incorporate automation or other newer technologies that other departments may be less familiar with. This allows the security team to move beyond the role of protector to become an innovator within the organization.
- Build trust with other teams
Sometimes security is deliberately kept out of the loop because people don’t want their projects to be held up. Obviously, this can cause huge problems and is why DevSecOps has become popular to integrate security earlier in the development lifecycle. Building trust with other teams is critical to inclusion. Part of that process is to foster understanding with reluctant teams by taking the time to learn more about what they do and what their challenges are. That needs to go beyond IT to departments such as sales, finance, operations, and engineering.
With new partnerships, positivity, and trust founded on open and honest conversations and a solid marketing strategy, you can change how your business views security.
To learn more about how your security team can go from protector to business partner, register for the upcoming Taos webinars:
Is Compliance Part of Your Culture? Join Larry LaBas, Security/GCP Practice Leader, Jay Cuthrell Partner Offering Leader & Tim Clark, Principal Architect, on Thursday October 20th at 2pm EDT.
Transforming Security into a Business Enabler. Join Larry LaBas, Security/GCP Practice Leader and Tim Clarke, Principal Architect, on Thursday October 27th at 12pm EDT.
- Evanta, The CISO Business Leader: What’s Ahead for CISOs in 2022, January 2022