Boardroom Conversations on Security is an ongoing series on how to discuss and present cyber security concerns to your board. It comes from an extended conversation between Enrique Salem, Investor at Bain Capital, and Erkang Zheng, CEO of JupiterOne. For your convenience, the entire series is available as a single download.
"Enrique, how do you address a board who sees security and controls as an impediment to getting worked done?"
To that question, I worry about independence of the board. I worry about employees who see security and compliance as an impediment to their job.
A couple of years ago, I was hosting a round table with about a dozen CISOs. We were sitting there and we were talking about this issue and one of the CISOs said, "I get invited late to every discussion. It's like we're building a new system, and then they invite me.” One of the other CISOs said, "Yes, it's because you've gotten really good at saying no and telling us why we can't do that." The issue to this question is internally a lot of lines of business leaders and individuals in business say, "The security team just slows me down. It's never additive. It's almost like what I can't do, not, how do I."
It has got to start with this mindset that the security team is really thinking through and being a bit ahead on the business needs. What are the questions that we're going to get as a security team to basically be front footed instead of reacting?
Let me give you the one that gets most lines of business antagonistic towards security: they need to bring a new vendor into the business. Whether they bring a vendor for marketing, for sales effort, for support. The process to validate a vendor, sometimes takes way too long. We need to have a way of saying, “How do we validate vendors efficiently?”
I remember being in a company where vendor validation sometimes took four to six weeks. Imagine a marketing team who's saying, "I want to run a campaign. I want to share some set of email addresses and customer names.” But before I can interact with the vendor, between compliance and security, it takes four to six weeks. This is the place where you end up in this discussion of employees, and potentially the board, seeing us as a hindrance, not a benefit. The way to do it is just say, "Identify the areas where you get a lot of questions and make it easier."
Another place I find is there is a lot of new software being developed that employees and people want to use. Many times the security team will say, “Well, that is not an approved product!” Well, guess what? This is where you get into the whole shadow IT discussion where people will go, "Okay, well, I'm going to go around security, I'm going to go around the team, and I'm going to go get the package myself and get it up and running."
How do you anticipate the requests that are going to come in to the security team and say, "We've thought about that. Here's how we do it. Here's how we do it efficiently." The more you can be front footed in anticipating those needs, the better.
The other tip I've always given folks, especially as you get bigger and more mature companies, is as much as you can, embed a security professional, somebody in the security team with the line of business, so they really understanding the line of business. Instead of it being the security teams being educated on the line of business, they understand that part of the business very, very well, and they're part of it, and they're part of the day-to-day decision making. I think that helps. Embedding of security experts in lines of business go a long way.
That's a really passionate topic of mine because I've been through this first hand myself in Fidelity and other places. The same thing happens, not just to security, it happens in engineering, IT, in many functional disciplines. I'll use software development as an example.
Before this whole DevOps and Agile development took hold, what did we have? We had developers, we had QA, we had production support and we had all of these different roles and different functions doing different things. Developers would throw something over to QA and say, okay, good. They would throw something to production, and when something broke, nobody knew what was going on.
We now have DevOps. As an example, we have developers using automation to test their own code. I see security and the rest of the business teams, the engineering teams, the business functions, and marketing. They need to operate in a similar kind of DevOps and Agile fashion to be part of the same team. It is like we were saying earlier about the executive teams and the board: it is not an adversary situation. It is the same between security and the rest of the organization. It is how do we establish that partnership and how do we establish the ways of operations to create a contract between them.
On the flip side, on the security team side, how do we find that solution to make security easy to consume for the other organizations? It goes both ways: the business units and organizations need to understand the difficulties of the job that security has, and vice versa. Security needs to take that into perspective and make it easy for the business users to consume it.
Read the full Boardroom Conversations series:
- Boardroom Conversations Part 1
- Boardroom Conversations Part 2
- Boardroom Conversations Part 3
- Boardroom Conversations Part 4
- Boardroom Conversations Part 5
- Boardroom Conversations Part 6
- Boardroom Conversations Part 7
About Enrique Salem
Enrique Salem was the president and CEO of software company Symantec from 2009 until 2012, and was a member of Barack Obama’s U.S. President's Management Advisory Board. Enrique joined Bain Capital Ventures in 2014, where he focuses on infrastructure software and services with a specialization in cybersecurity.
About Erkang Zheng
Erkang Zheng is a hands-on leader in cybersecurity. He is an engineer by trade and an entrepreneur at heart. Before starting JupiterOne, Erkang was CISO, Privacy Officer, at GM LifeOmic Security. In August of 2021, Erkang was selected as one of The Top 25 Cybersecurity CEOs of 2021 by The Software Report.
Posted By Mark Miller
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain.
Mark actively participates in the DevOps/DevSecOps community by building DevSecOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. He is the Senior Storyteller and Senior Director of Community and Content at JupiterOne.
As well, Mark is Executive Producer of the DevSecOps Podcast Series (300K+ listens), and the Executive Editor of the LinkedIn DevOps Group (124K+ members).
To hear more from Mark, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.
Subscribe to our newsletter!
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inbox at least 2x a month! Just let us know where to send it.