As you build your strong team, challenge yourself with these three next steps:
First, help your peers understand the value of information security. A good Security team enables the business to increase its competitive advantage. THIS is the business value of information security. Good security ENABLES the business.
Second, make security everyone’s responsibility, not just the security team’s. Remind people that security is a primary responsibility for every employee, no matter who they are or what their role is. Security is done best when EVERYONE makes security their job.
Third, get security a seat at the executive table. Security must be allowed to build a strategic roadmap and given resources in order to be successful. Include security in strategic planning and budget discussions.
Reflection: How important is security at your company?
The success of cybersecurity at any organization comes down to how well the company’s leaders understand the business value of security. In other words, a company that values cybersecurity:
- Invests in your program
- Gives you a seat at the executive table
- And makes security everyone’s responsibility
On the other hand, if a company does NOT value information security, the opposite is true. A company that does NOT value cybersecurity:
- Won’t invest in your program
- Buries you down in the org chart
- And places all security responsibility on a single person or team
Think about your organization for a moment. How is security thought about at your company?
- Do you have an adequate budget, resources, and staff?
- Are you invited to give security updates to the board?
- Do you have access to the CEO and other C-level executives?
- Does your position give you visibility into every aspect of the business?
- Are you consulted by other leaders in the business?
- Is it clear that security is everyone’s responsibility at your company?
The most impactful and successful security teams can answer all of these questions with a resounding YES!
Security is critical to the success of the business. We must be empowered to build a strategic roadmap and given resources in order to build that program. An organization’s security team should not be hidden beneath engineering or IT. It needs to be placed high enough in the org chart in order to be visible to everyone. The organization should view the security leader and the security team as trusted allies and respected advisors.
You won’t be able to build a successful team if you aren’t given the trust and autonomy to build out your program. Your ability to grow the next generation of cybersecurity professionals will depend on your own standing in the business and the amount of goodwill between you and your fellow executives. Cybersecurity needs to have a seat at the executive table.
Solution: How important is security at your company?
What if you don’t have a seat at the executive table? What if your team is buried in an IT organization, or your CISO reports to the CIO? What if security is just one team’s responsibility, instead of a shared responsibility across the organization? Can you still be successful?
The short answer is yes. There are things you can do RIGHT NOW to help improve how security is perceived.
It comes down to one simple principle.
Build trust.
Build trust with your peers and leaders. Look for allies in the business that understand the value of information security. Win hearts and minds for security by empathizing with fellow leaders and understanding their business problems. Share your knowledge - your team should act as guides and advisors for the business. Build trust by being consistent.
If you want someone to believe in your cause, make sure they know that YOU believe in THEIR cause.
- Align your security goals and team projects with your company’s goals and projects.
- Always think of how your InfoSec policies, procedures, and technology affect others.
- Always get buy-in and sign-off from the business when changes are made.
Make it obvious that your Information Security team is a service for the business to protect their assets and mitigate their security risks.
I want to be absolutely clear. This will require a lot of effort and initiative on your part. Building trust will take WORK, and it won’t happen overnight.
If you are looking to have a seat at the table, here are some actionable things that you can start doing today:
- Ask to be invited to executive meetings
- Start an Information Security steering committee
- Ask to present at board meetings or board committee meetings
- Ask for open door access to executives, especially the CEO and CFO
Once you have built that trust with your peers around the business, you’ll be able to get staff and resources for your team. And you’ll need more headcount if you’re going to build the next generation of cybersecurity professionals.