What are your career goals in the security field? Chief Information Security Officer (CISO)? Head of Risk and Compliance? Entrepreneur? Where do you see yourself in five years? Talented security professionals are in demand.
The war for talent shows no sign of slowing down. As you make decisions about your development and employment, are you thinking about your destination?
A number of security professionals that I’ve talked with say that they want to become CISOs. This is seen as the pinnacle of the security profession in a number of circles. The Why they want to become CISOs seems to be pretty straightforward. They see the CISO role as security focused, allowing them to stay close to new technical trends, emerging challenges, and familiar skills, yet still achieve an executive level of experience (and compensation).
Seasoned security executives may see this perspective as callow. The assumption that the CISO is the mountain top for a person in the security field is somewhat misguided. Furthermore, leadership positions in security are tremendously difficult roles.
Women and men in these roles are often struggling to retrofit security into their organization’s culture, architecture, and operations. Women and men in these roles usually operate with limited budgets, staff shortages, and the anxiety that they are likely be held accountable for a breach or incident.
How to become a CISO or C-level security executive is often unclear. However, an informal and formal survey of executive search and security thought leadership firms point to soft skills as a critical skill set that security professionals often miss.
Credentials and certificates indicate a level of technical acumen and rigor. In many cases, this is the price of admission, established by well-intended HR departments. Unfortunately, the emphasis on technical acumen ignores some of the biggest differentiators in securing an organization: business value, behavioral change, and communication. Defining soft skills can get… soft, but we will focus on these three as they apply to use cases in the security industry.
1 – Business Value
Business leaders understand profit and loss, revenues and costs, capital expenses and operating expenses. Security is often seen as a cost center, putting a drag onto revenues and adding bureaucracy. The difference is frequently a matter of perspective. I have seen members of the Fortune 500 approve $20M USD investments without a supporting business case, primarily because of internal political influence. This is an entirely common practice.
Additionally, business products and plans are often set without an internal check or review from the technology team, let alone a security review. Some organizations are changing this to avoid rework and risk, but this is still the exception rather than the rule. Security needs a clear return on investment (ROI) and total cost of ownership (TCO) projections.
Effective security professionals, particularly as they grow into executive level positions, can clearly align security to business priorities, integrate with initial strategic planning, and avoid being picked off during project or budget approval processes.
Consider the example of a new warehouse and assume that the VP of Supply Chain wants to open a new facility across town. She wants to facilitate faster delivery, support business continuity, and add capacity. As a security professional, you need to ensure that this initiative is secure, safe, and low risk. Getting the new warehouse up and running is her top business priority.
This is a golden opportunity to partner with the VP of Supply Chain to ensure that security is included by design. Beyond facilities security, you can look at the entire end to end process for the warehouse, e.g., pick, pack, ship, invoicing, supplier management, route management, delivery notifications, reconciliation, etc.
• Do warehouse employees need to know the payment information or customer information during pick, pack, ship? Could we simplify the use of regulated or business sensitive data by removing that information from the packing order?
• If they need access to this information, are records stored properly and securely? Are paper pick orders with name, address, and phone information shredded or are they simply put into the recycling bin?
• Do warehouse employees use hand scanners or tablets? Do we have the ability to remotely wipe the data from a tablet if it is lost or stolen? Is warehouse Wi-Fi secured from other business or external traffic? Are there any dead spots in the warehouse?
Questions like these demonstrate the benefit and positive aspects of security. Value needs to consider not just the cost to achieve a new warehouse, but the total cost of ownership after implementation. SMBs may consider 12 months to be sufficient time to project costs and expenses after implementation. Larger organizations typically review total cost of ownership (TCO) and return on investment (ROI) in 2 – 3-year increments.
If you work in an organization that does not require business cases or attempt to project budgets and cost to maintain, that is an opportunity to help shift the culture to more sustainable practices. The finance team is typically a strong ally in this effort and business leaders respond well to the notion that a strong business case, based on merit, is more likely to be approved than a weak case.
2 – Behavioral Change
Security technology and solutions support people as they work. Advances in Artificial Intelligence (AI) will automate a number of activities, but AI can be used as a force for good or as a force for evil. Cybersecurity adversaries will use these same advances to further their objectives.
A vigilant workforce, supported by strong processes and tools, is your best defense. The challenge is that security, in addition to being seen as a cost center, is often seen as boring. Text heavy security bulletins are rarely read. Scary videos and headlines reinforce the tendency to cover up or hide mistakes, rather than come forward.
Security professionals that are successful are effective. Audits that drive change. Business processes that are efficient and secure. Supply chains that are resilient. These results matter to a business or organization. Marketing, visualization, encouragement, and humor are all powerful weapons in your arsenal. Use them.
Building upon the VP of Supply Chain example and the new warehouse, you are already aware of the key pressure points that are driving the business. Behaviors that accelerate positive results and avoid negative results will be adopted more readily. Yet overcoming an individual or organizational immunity to change is difficult. Habits die hard and culture eats strategy for breakfast.
Security professionals often lean on their technical understanding and background to solve their problems. This approach neglects the biggest asset available to most organizations, which is employee time and attention.
As part of introducing a new solution to help secure the warehouse, e.g., removing customer payment and address info from the pick order forms, borrow a page from marketing professionals. Individuals need to hear a marketing message at least 3 times before they retain it. This does not mean that you should force them to attend training three times.
Rather, reinforcement through video, audio, and images improve effectiveness. A number of organizations with high accident rates, such as construction, ship building, and oil drilling, begin their day with a safety moment or tool talk. These are 5 minute sessions reinforcing security and safety on an ongoing basis.
Furthermore, clear actions and behaviors are essential. While it is a good start, it is not enough to make people aware of the potential for cancer. Teaching people how to conduct a self-examination, how to speak to their doctor when they review test results, and how to get support through treatment saves lives.
Security in your organization needs to explain how to self-diagnose a phishing email, how to escalate for help, and remediation actions that security will take with them to help. In parallel, using technology and tools to shield your business colleagues creates a holistic approach to security, addressing potential people, process, and technology gaps.
3 – Communication
Security is not the driver of the business. Lack of security can significantly damage a business or enhance your brand, but security does not typically generate top line revenue. 60% of the SMBs that experience a breach never reopen. Knowing that, a number of business executives tend to believe that ignorance is bliss. After all, they have a business to run.
Security professionals need to understand their business stakeholders and counterparts thoroughly. At the most basic levels, security professionals need to understand how their partners in the business work and speak. Communicate in a common lexicon or language.
Revisit the information security setup in the new warehouse. Who is working in the warehouse? What are their peak hours? Do they operate 24 x 7? Are they covered by a collective bargaining agreement? What are their measures of quality or success? How do they do their jobs? What tools do they use, e.g., tablets, pen and paper, hand scanners, robots, etc.?
If you are speaking to your colleagues in unfamiliar terms, how can you demonstrate the value of security or hope to change behavior, aside from using fear? Shame and fear are powerful motivators, but they encourage people to cover up or hide uncertainty or mistakes.
Approaching security through fear is a key contributor to the current average of 6 months to discover a security incident. Would you ask for help if your company had a policy of hanging a fishing rod on your office door when you clicked on the link in a phishing email?
Follow them around. Listen. Understand how they work, learn the language, and understand the frustrations and motivations of your business counterparts. Finance teams speak in terms such as month to close, outstanding invoices, and operating margins. HR teams speak in terms such as time to recruit and hire, learning and training effectiveness, and employee turnover.
Know their dashboards and processes, so that you can help them identify security vulnerabilities and solutions collaboratively. Align your security metrics to their performance objectives and goals. Speak clearly and openly about the metrics that are meaningful and clear to your stakeholders. It is their behavior that you are trying to change, either through translating awareness into action, using a new process to escalate issues, or activating tools like Virtual Private Network (VPN) utilities when they work remotely from a coffee shop.
Guest Author: Matt Leathers, Senior Consultant, at Kettle Consulting Group, with over fifteen years of consulting and industry experience, working for some of the leading consulting firms in the world.