Involve your security team in the decision-making process
It's time for businesses to include security teams in project planning -- even when it's not cybersecurity related -- because their experience provides diverse insights that might otherwise be missed.
More often than not, businesses see security as the technical gatekeeper to help meet compliance obligations, secure data and applications, and inspire customer trust. Security teams regularly end up isolated from the business and technical teams or tacked on at some point along the way. In most cases, the lack of contact and visibility does not indicate an intention to "get away with something," but reflects that security is not part of the product or business planning lifecycle.
Security teams provide decision-making diversity
Organizations, from their teams to their boards, strive to achieve diversity, which has been proven to generate greater range of thought. The same applies when a variety of disciplines bring together new perspectives throughout a process. In the case of security teams, the diversity we are looking to introduce into our organization is their breadth of perspectives across the products, the customers or internal teams.
In many instances, security professionals can provide the unique insights and perspectives that make a material difference early on in any project. More often than not, these viewpoints are missed because security is either involved too late in the process or is left to review the outcomes and make the best of the situation.
As CIOs and CTOs, our jobs are often to move ahead of the business as much as possible to anticipate needs and enable revenue generation. We run ahead of the freight train that is the business to lay track as quickly as possible, and make sure that track is built reliably to prevent derailments. We know what works and we have great teams that can get the work done expediently to meet business needs.
Moving quickly usually means making game-time decisions along the way in small groups that then incur debt of some kind, whether technical, business or risk related. The important part about the rapid decision-making process is to maximize intentional decisions (i.e., considering as many angles and perspectives as possible) and minimize assumptions or blind spots. Involving security teams with their broad exposure to the organization helps to shed a light on those possible blind spots quickly to aid in rapid decision-making.
This is where the unique and broad perspective of security teams is useful to help generate insights that may otherwise be missed. There are many reasons why security teams can offer considerations that technology teams alone may not. In most cases, security teams:
- Work across the organization: Security is one of the few groups in an organization that need to work fully cross-functionally for the span of a project. While legal or finance may have occasional touchpoints across the organization, they usually operate at a higher level to facilitate a single objective (e.g., FP&A or contract negotiations). Security teams work across the organization at a deeper level because they must find ways to enable other departments and disciplines securely; it is challenging to secure something if the how and why of the work is not well understood. This deep understanding means that they have a comprehensive view of the organization as a whole.
- Understand the customer: A security team's mission is often to help ensure that the customer feels good about the product or service they are purchasing from the organization. The journey toward trust involves understanding the customer concerns, how products and information are used, and communicating effectively to address concerns. While the technical teams may have UX specialists, they may only be involved at product inception whereas security teams often interact with the customers once the product is rolled out, thereby keeping a pulse on customer sentiment and needs.
- Have deep product knowledge: Knowing the products and services, and the goals they aim to achieve, is essential to help inform decision-making about product direction and risk. To effectively measure risk and provide viable recommendations to address risk, security teams must be acutely aware of how the organization's products and services function. For example, understanding the type of users that exist for an application could inform how multi-factor authentication is implemented to minimize customer impact (or maybe even make their authentication experience more seamless).
- Fully grasp regulatory obligations: Part of security's role is to maintain compliance with privacy and security regulations from government and regulatory bodies. The security team's job is to interpret the evolving landscape of requirements into approaches that can be implemented. This expertise comes from working across the entire organization with various groups and having a complete grasp of the technical components that puts the security team in a distinctive position to translate outside influences into implementable recommendations.
Ways to better integrate your security team
As you can see, there are likely few teams outside of security with the same range of perspectives. There are many keys to success, but one is certainly intentional decision-making by taking into account many perspectives and inputs. By leveraging the security' teams concentration of expertise, the process of informed decision-making is significantly shorter.
Some ways to integrate the security team's insights and perspectives is to integrate them into the product development lifecycle and overall strategic conversations. Even though the security leader may not be part of the security team, having that person sit as a fly on the wall in leadership meetings is an easy to way close the feedback loop quickly. Many organizations do not include the security leader in strategy discussions to save them the trouble of more meetings. But the end result is an information-gathering process afterward by security that then helps inform the leadership team about roadblocks or opportunities they may not have thought about. Another way to integrate the security team is to form a brainstorming council that involves security and brings them into the ideation phases of product development.
Most organizations bring security into the fold so they can make sure they are not held up later in the process -- and that is a good reason for involving security early on. However, security teams also have insights that may help drive revenue, identify new features or potential non-security pitfalls that were not discovered previously.
In the end, the conversations and evaluations are all in the service of making intentional decisions about whether to go down a path or not. More often than not, we find ourselves at a crossroads and select one path without full consideration rather than going through an intentional decision-making process. Security teams can help the business and technology teams make intentional decisions across a range of domains.
About the author
Nick Vigier is a CxO advisor at Coalfire. Vigier is a technology and security leader focused on innovation to drive business results. In his 15 years of security leadership, he has focused on building high-performance teams to ensure security is a business driver rather than a cost center. In his current role at Coalfire, he takes his learnings as a CISO and CIO in a variety of industries to help leaders consider security as a business enabler and not just an insurance policy. Nick is passionate about looking at intractable problems in new ways to find solutions that benefit everyone while growing trust and efficiency.