By Sean Malone, Chief Information Security Officer, Demandbase
Technology has given rise to many comparisons in the past few years, but the train comparison is one of my favorites. In this analogy, the tech sector is like a fast-moving train that constantly gathers speed, bringing new opportunities and challenges along the way. One of the challenges it brings is the ever-increasing danger posed by cyber threats, requiring a modern approach that goes beyond traditional security practices.
Robust security measures are a vital factor in this rapidly evolving landscape. To effectively safeguard your organization, a unified strategy that brings together IT, Enterprise Security, and Product Security under the guidance of a Chief Information Security Officer (CISO) is critical. Here’s how to implement this approach, the challenges involved, and how to structure your teams for optimal results.
Creating a Unified Voice for Security
In the traditional business model, IT and Security often operate in silos, with separate reporting structures and objectives. However, a modern approach could involve a paradigm shift by having both functions report to the CISO. The key to making this work lies in how the CISO perceives their role. Instead of viewing themselves solely as security professionals operating at the executive level, they must embrace the mindset of a business executive focused on enabling the business to achieve its core objectives without taking on unnecessary risk.
This change in perspective enables the CISO to advocate for security from a unified standpoint. By bridging the gap between IT, Engineering, and Security, the CISO can promote a culture of quality throughout your organization, ensuring security considerations are integrated across corporate processes and in every stage of the product development lifecycle. This strategy helps encourage better collaboration between teams, reduces redundancies and associated costs, and enhances your company’s overall security effectiveness.
Overcoming Challenges with Relationships
While the benefits of unifying IT and Security under the CISO are clear, challenges can arise when an organization attempts to bring diverse teams together. Resistance to change, hesitation, and the need to incorporate external talent can all pose difficulties. Clearing the runway of these organizational hurdles requires a strategic—and empathetic—approach.
Building relationships is vital. Fundamental steps that need to be taken include:
- Encouraging open communication channels and fostering a culture of trust to overcome resistance and hesitation
- Establishing forums for cross-functional collaboration, such as regular meetings and joint projects, to help create shared goals and build stronger relationships between teams
It is crucial to emphasize that the goal is not to undermine existing roles but rather to leverage the collective expertise to enhance the company’s security.
Additionally, you must strike a careful balance when integrating external talent. While fresh perspectives and specialized skills can bring immense value–and are frequently a necessary component of organizational transformation–you must be able to integrate these seamlessly into the existing team structure. Your organization can create an inclusive culture that values diverse contributions by providing mentorship, clearly defining roles and responsibilities, and actively promoting a growth-oriented environment.
Structuring Teams for Optimal Results
Once IT and Security are united under a CISO’s leadership, it’s essential to structure your teams in a way that maximizes their potential. Crucial aspects of this process include adjusting role definitions and creating growth opportunities.
For example, revisiting role definitions is necessary to ensure that your people are assigned to the right roles based on their skill sets and expertise. Redefine your job descriptions to achieve alignment, emphasizing the importance of security skills and fostering cross-functional training. Develop clear career paths for employees to nurture talent, retain top performers, and enable continuous development.
Create growth opportunities to maintain team motivation and engagement. You can achieve this by establishing learning programs, offering certifications, and providing avenues for professional advancement within the security domain. Recognizing and rewarding accomplishments, both individually and as a team, further encourages a strong commitment to security excellence. Your objective should be to maximize the amount of time that employees spend working at the intersection of expertise, passion, and company needs.
Implementing a Holistic Approach Under a Single Umbrella Strategy
A modern approach to tech sector security requires a holistic approach that unifies your IT, Enterprise Security, and Product Security under a single overarching strategy. Overcoming challenges and breaking down silos through relationship-building and trust-building efforts are essential for success. Additionally, structuring teams with the right people in the right roles, coupled with growth opportunities, ensures the continuous evolution of a robust security program that can effectively safeguard against emerging threats in the dynamic tech landscape.
By redefining the role of the CISO as a business executive focusing on security, your organization can achieve a cohesive voice advocating for comprehensive security initiatives across the board.
About the Author
Sean Malone is the Chief Information Security Officer at Demandbase. In his role, he is responsible for the information security and IT functions. Prior to joining Demandbase, Malone led information security, delivery, product, and R&D for VisibleRisk, which was acquired by BitSight Technologies. Prior to that, he was Head of Cyber Defense for Amazon Prime Video, and previously spent ten years in offensive information security, performing red team engagements and cyber defense consulting for major financial institutions, casinos, gold mines, social media platforms, and similar high-value targets. Malone holds an MS in Information Security & Assurance, as well as the CISSP, CISM, CISA, CCISO, AWS Solutions Architect, and AWS Security Specialty certifications. He’s active in the security community, including presenting research at Black Hat, DEF CON, and other conferences. He has a patent pending for his work on assessing security programs and quantifying cyber risk.
Sean can be reached online at https://www.linkedin.com/in/seantmalone/ and at our company website https://www.demandbase.com/.