This article was first published by Alison DeNisco Rayome of Tech Republic on April 9, 2019. Original article HERE.
CISOs need to gain a seat at the table to discuss strategy and building cybersecurity into product development. Here’s how.
Once buried in the IT department, cybersecurity is increasingly becoming a major priority for all businesses, in the wake of near-constant high-profile breaches that have tarnished brand reputations and even put some companies out of business.
“Security has been buried in a CIO organization,” said Aisling MacRunnels, CMO and a founding member of security firm Synack. “It’s been an after-product cost center, and the only time a CISO or anyone on the security team really ever hears from anyone else in the company is because something went wrong. It’s always a negative.”
Digital transformation has changed the business’s view of security, MacRunnels said, moving it from a cost center to an integral part of the brand. The mindset shift has led to some struggle between past and future processes, she added.
In the past, companies focused only on compliance—checking the security box and moving on, MacRunnels said. CISOs were never included in planning sessions or product meetings. Today, business-side teams are finally asking about the security implications of products and processes, and including the CISOs in those discussions.
However, there still exists a lack of alignment between the business and security sides, MacRunnels said. “If you’re a CISO, you’ve got a lot of education on your hands to make other people inside your company really understand some of the challenges,” she added.
Here are five ways that CISOs can show the business side the real results of their cybersecurity efforts.
1. Become part of the conversation, not the aftermath
CISOs must position themselves to be part of the strategic conversation around company and product plans with other executives, rather than the person who is called in only when something goes wrong.
“A CISO should get into those conversations early so they can then build a security plan beyond just compliance, that’s built to partner with the team, and have that plan upfront,” MacRunnels said. CISOs need information on decision dates and milestones to structure their plan and make it most effective, she added.
2. Test frequently
If the security team is involved in the product development lifecycle from the start, they should also be performing ongoing penetration testing, to keep pace with new versions and keep hackers at bay, MacRunnels said.
“The goal is to be working and testing your code constantly, so every product ships on time and doesn’t have any vulnerabilities,” MacRunnels said. “It’s got to be just part of the everyday way we do business.”
3. Communicate in the business language
CISOs should use data points to speak the business language and help others understand the status of security work, MacRunnels said.
“You need to have a way for everyone to understand the status,” MacRunnels said. Using real numbers and examples will make your work resonate more with the development, marketing, and other teams, so they can make more informed decisions.
“If CISOs are going to show results, they have to speak the language that boards, executives, and their peer departments speak, because then they’ll be integrated into the conversation,” MacRunnels added.
4. Plan for challenges
“Anything to do with building and deploying code always has issues, and we plan on challenges along the way,” MacRunnels said. “What we don’t plan on is some of the security issues, and how to deal with them.”
It’s much easier to address issues in pre-deployment; however, if the product is live and constantly being iterated, there needs to be a plan for solving problems as they arrive. “Having a plan for that upfront and integrating it into the overall strategy is another way that the CISO shows that they are part of the team,” MacRunnels said.
5. Measure success
Once CISOs have implemented a security strategy, they must be able to measure the security team’s successes and share results along the way, MacRunnels said. “The celebration for the security team should be no security issues,” she added. “Too often, they’re only brought in when there are issues. They should be part of the same team that’s going out to celebrate that launch happened on time, and they met their goals.”