“We’re always seen as the ‘Department of No’”, I heard a CISO say at a roundtable discussion where security leaders talked about the current climate of security.
The CISO was describing what I have experienced for the majority of my career. I have seen many stakeholders of security programs view our mission as the “people who say I can’t do things.” This brings to mind phrases like, “You can’t do that” or “That isn’t an allowed application” or “That isn’t aligned with our policy.”
While these phrases are at times unavoidable, this isn’t the core function of security. The core function of security can be enabling the company to move as fast and innovatively as possible with risk context and awareness. Let me explain through an analogy that dawned on me at that very same roundtable discussion.
For the unfamiliar, Formula 1 or F1 racing is the premier racing competition with extremely fast, low-to-the-ground cars. In order to win, you have to finish the race faster than your competition. Does this mean you merely put the pedal to the metal until the end? No. Or does it mean you have to drive as safely as possible even if it will look like you are taking a nice Sunday drive? That isn’t it either. There’s a component to F1 racing that enables the driver to find the happy medium and push the car face without taking unnecessary risks: the pit.
The pit isn’t just the speed tire changers. The pit includes a pit wall or analysts that monitor the health of the car and the conditions of the track. They monitor if the engine is running hot, or if the tires are losing too much tread, or if there’s something on the track that might cause issues for the driver. They’re there to inform the driver how hard or fast to push the car without taking undue risk.
In this analogy, the car is the business, the driver is the business leadership, the team of engineers is IT, the track is the threat environment, and the pit is the cybersecurity team.
Cybersecurity is not here to say “no”. It’s here to say, “here is the context for a particular decision or action that could have security implications.” They monitor the health of the business from a security perspective, implement controls to keep data and infrastructure safe and provide context to make decisions and take actions.
Cybersecurity professionals are here to enable the business to move fast — and innovate through both context and controls. Every once in a while, they might ask politely for the brakes to be tapped.
When I shared this analogy with my peers, it was clear as day that this is the mental switch we need to champion in business today. Business leadership, IT, and security are all on the same team. The more we can innovate and accelerate optimally, the better for the business.
It’s neither unrelenting speed nor stifling caution that will get us where we need to go. We have to find the balance through communication and teamwork. Once everyone understands their place in the empowerment of the business, the business will move — fast.