What does it take to be a Security Manager? In this article, based on my last 10-year experience as CISO at an energy utility company, I will share my reflection on what are the keystones that can make you dare to succeed in managing a cyber security area in an organization. I always found myself in the middle of an axis strained by opposite forces, that I always tried to balance based on trust and a top-quality team. Let’s explore the tension axis.
"You must have a strong trust from your organization’s top management"
We all know that the world changes in an increasing pace and new technologies appear every day, causing impact on existing business models. It’s fundamental for organizations to react in the face of a constantly changing environment, adapting their technologies and services. However, the speed, mostly known as time-to-market, could be a threat to cyber risk, because new scenarios might need a more careful risk analysis which, sometimes, cannot be done as timely as the business expects. So, to succeed within the organization, is essential to industrialize some security activities but, most importantly, you need to establish a high level of trust and communication with business units to justify the time needed for risk analysis.
Security has a cost! We know that it’s cheaper to do it built-in earlier stages than as an add-on, but it has a cost nevertheless. Acquiring or developing a product or a service with security built-in is more expensive than to have no security at all. Business will always push for low cost to increase margins, in a strong and global competitive environment, while risk control is pushing to the other side. Security managers need to cope with this strain, assuring that the organization understands the need for this cost and that it is needed to fulfill the service promise that we deliver to our customers. Again, trust is key, because for business to accept cost increase, they must rely on the security team correctly balancing it with risk control.
The new emerging technologies, like IoT, AI or Cloud Computing, are leveraging and threatening business in ways that we didn’t expected, or we might not imagine. We know, with a high degree of confidence, that any company that doesn’t follow the pace of digitalization, probably will not succeed in the near future, but we also need to be aware that if we decide to let our critical business data in a cloud provider that doesn’t give any guarantee of data recovery, security or location, we can be ruining our business. We should reject scenarios of having security teams invested with so much power that block any business initiative, and feeling important with that, but also avoid the opposite, the ones that rely only in compliance or magical technological solutions to have a good night sleep. Once more, organization should have the trust that they are adopting new technologies in a risk-controlled manner.
We need to admit that communicating cyber security is extremely difficult. Even in the conventional world, it’s hard to explain security costs to avoid something that you will never know if it would happen, imagine explaining to the board of a large corporation that you need to secure your DNS entries or disable specific communication protocols. I found security professionals in our companies, either as people with extraordinary technical skills that adopt a cryptic language or, in the other side, extremely conceptual, almost relying on a policy approach, forgetting that implement security is difficult and it is done, mostly, on the battle field. Besides those two visions we also need to understand the need to adopt a business language, which reflects the need to balance the necessary deep understanding of the technical security challenges, but how they translate to business language, to support business decision by the C-level. That is extremely difficult, and since you are providing this abstraction from the technical complexity, you must have a strong trust from your organization’s top management.
The pursue for trust
I could drill down some practices for each this axis, but, for this article, I want to remark that in all these scenarios we find trust as the common strong word. I’m sure that some might say that trust is needed for everything, but that’s not the point and is the same for other attributes. What I’m saying is that every team has their essence and trust should be the DNA for a Security Team. You need to foster trust in the business services, because trust is something that costumers are keener to ensure; you must have the trust of top management that you are correctly assessing the complexity of the cyber risks in the organization; you must have the trust of the business units for them to understand the reasonability of security requirements; you must have the trust from your team, that their competence is being correctly communicated and applied with purpose and, finally, you also need to create trust in society, especially if you manage critical infrastructures that affect everyone’s lives.
To achieve such level of trust is fundamental to be aligned with business objectives. Any executive MBA will tell you that marketing, sales or operations must be aligned with business strategy and objectives. Why should it be different with security?