As security professionals, we aren’t known for our levity. True, we’re often fire-fighting serious incidents with potentially profound consequences for the organisation, and our career prospects. But our relationships with others are usually characterised by policing and enforcement rather than engagement and support.
This needs to change. And it must start with the CISO.
Why do many employees dislike their colleagues in the cybersecurity function? Because the first and often only experience of interacting with security is being told they’re doing something wrong, and that it will take extra work to resolve. That’s not the basis for a productive working relationship.
Part of the problem stems from the fact that security is operating some way behind the rest of the organisation. CISOs often gravitate to infrastructure and network folk who are also far from where the action is. This makes security reactive and reinforces our reputation as a policing function. When CISOs take that stance, they tend to be over-reliant on the wrong processes.
The truth is that modern organisations are agile, feature and product driven. Things happen faster. There are more squads involved using intuitive tools to support rapid development and deployment. This is a world not controlled by the same processes that security relies upon.
How can CISOs resolve this tension? First, by acknowledging that these processes have changed, that DevOps is here and the IT world around them is now fundamentally different. The days of monolithic projects put in front of security for sign-off are numbered. Projects are more numerous, and fluid. That requires security leaders to have more day-to-day involvement in how teams build and ship. In the past, the CISO’s list of professional relationships in the organisation was probably fairly short, but those relationships ran deep. The way IT works today requires a much broader roster of relationships, with platform teams and site reliability engineers.
In these new relationships, we must be contributors not gatekeepers. Security teams will work hard to understand how security can make a positive contribution to what the business is trying to achieve, that goes above and beyond “safe and secure”. They’ll grasp the engineering processes well enough to offer the right tools to the right people at the right time. In fact, they’ll become more like internal salespeople or security evangelists than auditors.
This will obviously require a major shift in attitude which many CISOs and their teams will find challenging. But change we must. It’s about building strong relationships based on mutual trust and turning up with a smile on your face. The music’s playing, so stop standing in the corner and come to the party.
This blog was first published in The Register.