Peter Margaris,Head of Product Marketing at Skybox Security, tells us that the CISO and their security teams have an image problem. “The CISO isn’t a Grinch-like figure who’s hellbent on preventing progress within their organisation,” he says.
This is an era of tectonic change for many businesses: they’re shedding increasingly archaic processes and practices and embracing innovation. In many ways, Digital Transformation initiatives should be celebrated. These are projects that exist to make life easier for employees, improve operational efficiencies, drive down costs and expand business growth. But there is a sting in the tail and it’s hurting the CISO and their security team. The CISO has an image problem.
Digital Transformation projects are expensive. They’re complicated. They have a lot of moving parts. So when a new investment in, say, a public cloud service gets the green light it makes sense that the team responsible for its deployment is keen to enjoy its benefits as soon as possible. The perception of any project’s success can be hindered if it takes too long to deploy, which is why DevOps teams are increasingly reluctant to involve the security department in the process. They’re seen as a roadblock, as a team which says ‘no’ and stands in the way of progress. This needs to change. The CISO and the security function as a whole, needs recalibration. They need to become ‘The Department of Yes.’
Why security has become the ‘Department of No’
Of course, the perception that many have about the CISO is unfair and lacks nuance. The CISO isn’t a Grinch-like figure who’s hellbent on preventing progress within their organisation.
They know better than anyone just how impactful and transformative the right technology can be. Without being able to automate change management processes, for example, their team would be wasting a lot of time on manual logging and testing. But they also know that any new investment widens the perimeter of the attack surface and can bring in a number of new risks and introduces further fragmentation to their already complex hybrid networks.
Most of the time, the CISO isn’t actually saying ‘no’. What they’re saying is: ‘Let’s take some time to make sure that this new investment is properly secured and doesn’t introduce unnecessary risk to our organisation.’
And while they’re trying to say that, they’re thinking about how that one request and many more like it, are adding a greater burden to their already heavy workloads. They’re feeling the stress. And this stress can make a request to take a few steps back to properly map out a deployment plan very much sound like a ‘no’.
What many people don’t understand is just how difficult the CISO’s job has become over the last decade. Everything has gone digital, proliferating technology and systems that produce and manage critical business data. Traditional security boundaries have vanished and they are operating with network complexities that would have been previously unimaginable.
Internationally dispersed, mobile workforces and outsourcing have become commonplace within many organisations, creating countless connections that span multiple continents. The number of regulatory mandates that the CISO has to navigate is dizzying.
Complexity is the CISO’s number one problem – it’s only natural that they may seem resistant to anything that may further compound this issue.
CISOs lack necessary network visibility
But pushback from the CISO and their security team doesn’t just happen because they’re worried about their workloads. Many are also concerned because they know that they’re not in the best position to secure any additions to their security environment.
If they don’t already have visibility over their hybrid estate, they can’t picture their security status as it is now, let alone how it would look with any number of innovations tacked on.
When they put their hands up to say, ‘stop’ or ‘slow down’, it’s because they know just how dangerous new third-party apps, or virtualised networks, or IIoT devices can be to their already fragile risk posture.
In most organisations, a lack of network visibility combined with inconsistent security measures tied to new technology deployments are the root cause of security being seen as ‘The Department of No.’
If this perception is going to change, then the CISO needs to ensure that they can gain full network visibility and predictive modeling capabilities. If they’re able to see everything that needs to be protected plus analyse and predict where risks and vulnerabilities may arise, they will be more confident in their team’s abilities to deploy and protect new network elements. It’s the first step to security becoming ‘The Department of Yes.’
The danger of saying no
Progress waits for no man. While security teams may find themselves at a stalemate, organisations are still charging full-speed ahead with their Digital Transformation initiatives. They don’t have time to navigate any impasse; they know that they need to innovate to become more efficient and to maintain a competitive edge.
This results in security being overlooked. If it isn’t ignored completely, it’s relegated to an insufficient checkbox exercise during DevSecOps processes. When properly embedded, security underpins the success of any innovation. But when security is sidelined, it’s possible that an organisation’s Digital Transformation initiatives could bring the business to its knees.
Disconnected processes often lie behind the execution of poor security. The likelihood of process disconnect only increases in hybrid environments. One of the main reasons behind this is the separation of teams responsible for different portions of the network. In hybrid environments, not only can there be separation between the security and operations teams, the growing DevOps/DevSecOps team also adds yet another layer of departmental complexity.
The CISO needs to make sure that process disconnect doesn’t impact the delivery of effective security. They need to ensure that they don’t operate within silos and that they have the oversight needed to ensure that all processes are fully aligned.
One example of how misalignment harms organisations is when cloud services are misconfigured. Many organisations work with an assumption that cloud services are secure, but if their access points aren’t properly configured then they could end up ushering in any number of new threats.
Insufficient cloud security protocols and a lack of testing are leaving many businesses exposed and this trend will continue to gather pace if cloud deployments aren’t fully within the purview of the CISO.
Which is why it’s so important for security to be seen as ‘The Department of Yes’. If they are known as a driving force behind ensuring the success of any innovation, then they will improve their position within their organisation and be able to influence future transformation strategies.
Becoming ‘The Department of Yes’
The first step towards becoming ‘The Department of Yes’ is deeply rooted in gaining complete and continuous network visibility to allow for aggregation of all relevant data needed to effectively model the network. From there, security teams will be able to assure their business’ current security posture and can be confident in their ability to adapt to changes as and when they come.
On top of this, the CISO needs to have a context-rich understanding of their security environment. They need analytics which gives them insight into potential risks and their compliance status at all times.
Finally, they need to ensure that they are making the most efficient use of their existing resources. The best way to do this is by introducing intelligent automation that will save them time and money as well as improving the outcome of processes and freeing up teams so that they can focus on more strategic tasks.
To shed its negative reputation, security departments need to stop operating on the back foot. When they know that they’re in control of their entire hybrid estate, they’re in a much better position to be able to say ‘yes’ and welcome innovation with open arms.