Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
Recent global events such as the pandemic have allowed security leaders to showcase the potential strength of cooperation between security and business stakeholders. By working together pragmatically and collaboratively, they have been able to tackle difficult and unprecedented challenges, all the while managing the risks that come with them.
However, for many security leaders, maintaining these relationships and capturing the attention of busy business stakeholders can be quite difficult. I believe that this is partly due to the long-standing preconceptions that each party has about the other.
But by fostering collaboration and aligning security initiatives with business goals, I am certain that security leaders can build off earlier momentum, drive innovation and enhance organizational resilience.
Historic Perceptions Holding Back Security And Business Relationships
While business leaders and security teams are often aligned on a common goal of achieving the organization’s tactical and strategic objectives, they may find themselves aiming for that goal in inadvertent isolation without consideration for each other’s values and drivers. This is where conflicts can emerge, and then the opportunity to drive value from security is missed. To help avoid this conclusion, here are some of the key things I’ve witnessed leading to such conflict:
• Lack of respect. While the importance of maintaining legal and regulatory compliance and controlling risk is recognized in the business, security teams can be accused of overplaying this, stifling business innovation and development rather than contributing positively to it.
• Lack of empathy. There can be a lack of understanding and empathy between business and security teams regarding each other’s needs and expectations. The business team often accuses the security function of not comprehending its role while the security team claims that the business group is too preoccupied to prioritize security matters.
• Lack of distinction. In many organizations, there is a lack of distinction between security and IT, which hinders the security team’s ability to directly collaborate with management and establish a more business-focused relationship.
Applying Security Changes In Isolation Causes Tensions
In my experience, in order to achieve strategic goals, organizations need to prioritize collective efforts. Working at cross purposes should be the least of your worries. When working in isolation, security teams can have adverse effects on fundamental operations such as cost control and business agility. This is especially true if security solutions are not fully understood, adequately communicated or appropriately owned and maintained.
How Can Security Teams Strengthen Business Relationships And Unlock Value?
Following best practices, security professionals can demonstrate and more clearly realize their value without conflict.
1. Promote the relevance of security in the business value chain.
Trying to justify the value of security to an unconvinced business can be challenging. So, it is important to approach such conversations in a balanced and pragmatic way. Explain to the business how security overlays, integrates and complements all activities in the business value chain. Demonstrate how security controls within those activities can ultimately help create, maintain and protect business value.
2. Encourage collaboration to balance the cost, risk, agility and security equation.
As security leaders negotiate what controls should be added, altered or removed, it is important to outline the business, technical and risk-based benefits (using variables such as cost, risk, agility and security controls) supporting a value-based decision-making process. Risk, if managed appropriately and collaboratively, can present a business opportunity. It’s unmanaged risk, which is the true enemy.
3. Improve relationship with the business.
Security leaders must understand the business goals (i.e., put business first), and then work backward to understand how security can help to achieve these goals. If this is done in concert with business stakeholders, it tends to better manifest as consultative behavior, opening the doors to potentially constructive and valuable conversations.
4. Make language relatable.
Marketing the security proposition requires empathy, understanding and an ability to see the world through the business lens, expressed in their terms. This requires good comprehension of business operations, the terminology and language used and clarity on the implications of what happens to the operations when things go awry.
“If we don’t act now, we will face a ransomware attack” is a benign statement. “If we don’t act, a ransomware incident will shut down manufacturing, inventory will drop and within 48 hours we will not meet customer demand, which will impact reputation and finances” resonates more clearly and will gain a business’ attention.
5. Develop a positive image and culture for security.
The value and relevance of security can be enhanced by the formation of a culture that encourages positivity and creative thinking. The objective should be to replace the historic perceptions of a stifled, bureaucracy-heavy security culture with one that encourages a more creative relationship with the business to flourish. It is incumbent upon the security leader to set the right tone and enable such a culture to develop.
I am certain that if security leaders hone their knowledge, skills and competencies in becoming more business aware; follow a more collaborative and consultative approach in their security decisions; create the right tone and environment within the broader business; and develop a culture that projects security teams as being fresh and innovative, then they can forge stronger ties with business leaders and convey the security proposition more strongly and more confidently.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here