Liat Hayun, CEO and cofounder of Eureka Security.
The traditional perception of a security team was that it was a siloed, detached office of “no” that owned complete responsibility for securing company assets. In fact, before the tech explosion, cloud migration and the democratization of data, security teams were wholly IT-centric and considered to be the nagging gatekeepers of the company’s internal networks. Business needs were always relevant to their work, but they were less of a priority than technological requirements and aspects.
As the technology evolved, however, so did the sophistication of attacks, and—by direct correlation—so did the need for elevated security to protect this new technology. Over time, and with the incessant flow of data inside and outside of company environments, development and business teams began creating data stores—from customer and financial data to intellectual property and trade secrets—inside company public clouds faster than security teams could oversee and control them, leaving businesses in a state of ever-escalating cloud data security and compliance risk.
I have spent the better part of my career championing security teams, and I work with many leading CISOs that are part of YL Ventures (Eureka investor) advisory network. Over that time, I have realized that the more concerning and difficult problems to solve are entirely organizational.
Security can no longer be expected to bear the brunt of accountability for these risks alone and be left holding the bag when an incident takes place. Processes in today’s business environment have become distributed and directly involve a growing number of roles and responsibilities dispersed throughout the company in various teams.
Without a shared responsibility model between these stakeholders on critical business elements, companies will fail to drive significant processes or make informed decisions.
The Problems Facing Security Teams Today
Today’s CISO prioritizes business needs and processes as pivotal to their role in securing company assets. In most companies, however, while the C-suite understands the ramifications of a data breach, they expect CISOs and security teams to secure the entire company on a defined security budget and to do so without hurting business priorities.
There is an overarching lack of understanding of the need for company-wide collaboration on security. The number of users multiplies, as does the data they use, the applications they onboard and the interconnectivity between them. Teams are remote, many of them able to independently adopt third-party services with little to no security oversight, and security teams are expected to scramble, seek people out and fight to be included in the process.
Business leaders must reassess their responsibility and accountability model and help empower security teams to work in a lateral fashion across the entire company. The changes that have occurred in business over the last decade have brought technology from behind the scenes to center stage. As businesses became tech-centric, so grew the need to secure their precious assets—along with the volumes of data used and stored within them.
What Security Teams Need From The Organization
In order to engage business leaders to evolve, security teams must be able to deliver data, insights and results at a significantly faster rate than they are currently able to. This requires changing both the tools they use and the organizational support they receive.
Presently, they still tend to use legacy tools and manual processes to align with industry regulations and standards, increasing the risk of a policy violation. These gaps in the basic elements required to secure critical assets are holding security teams back from getting the support, acknowledgment and resources they desperately need.
This isn’t a simple problem to solve. Security teams are consistently stuck between a rock and a hard place. On top of business leaders demanding attention to business priorities, CISOs and their teams must ensure that they adhere to a growing number of external regulations and compliance requirements—making them accountable for more than just their internal assets and infrastructure.
These regulations provide business rules that impact security and vice versa. They define legal and financial constraints. It has to be clearly stated that if security isn’t a board-level priority, with CISOs actually being in the room when decisions are made, security teams simply cannot be expected to adequately address all of these priorities.
Conclusion
To summarize, CISOs are expected to single-handedly secure company assets but are routinely held accountable for decisions made without their input. This is not to say that they don’t own a large part of the responsibility within their domain, but it must be understood that without collaboration and support from the entire organization, security teams will not be able to effectively exercise this responsibility and should, therefore not be held solely accountable.
A new system of accountability is needed in today’s world, which includes shared responsibility mechanisms similar to those employed in other areas of the company. Furthermore, CISOs must become part of the decision-making process as new technologies are considered. Finally, they must be empowered with proper budgets, security-led processes and the ability to secure these new technologies with the full support of their board, execs and fellow teams.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?