PREDI C TI VE I NTEL L I GE NC E
Reframing the security team
as the ‘Department of
Yes’
Peter Margaris, Head of Product Marketing at Skybox
Security, tells us that the CISO and their security teams
have an image problem. “The CISO isn’t a Grinch-like
figure who’s hellbent on preventing progress within their
organisation,” he says.
T
his is an era
of tectonic
change for many
businesses:
they’re shedding
increasingly
archaic processes
and practices and embracing innovation.
In many ways, Digital Transformation
initiatives should be celebrated. These
are projects that exist to make life easier
for employees, improve operational
efficiencies, drive down costs and
expand business growth. But there is a
sting in the tail and it’s hurting the CISO
and their security team. The CISO has
an image problem.
Digital Transformation projects are
expensive. They’re complicated. They
have a lot of moving parts. So, when a
new investment in, say, a public cloud
service gets the green light it makes
sense that the team responsible for
its deployment is keen to enjoy its
www.intelligentciso.com
|
Issue 22
benefits as soon as possible. The
perception of any project’s success
can be hindered if it takes too long to
deploy, which is why DevOps teams
are increasingly reluctant to involve the
security department in the process.
They’re seen as a roadblock, as a team
which says ‘no’ and stands in the way
of progress. This needs to change. The
CISO and the security function as a
whole needs recalibration. They need to
become ‘The Department of Yes.’
Why security has become the
‘Department of No’
Of course, the perception that many
have about the CISO is unfair and lacks
nuance. The CISO isn’t a Grinch-like
figure who’s hellbent on preventing
progress within their organisation.
They know better than anyone just
how impactful and transformative the
right technology can be. Without being
able to automate change management
processes, for example, their team
would be wasting a lot of time on
manual logging and testing. But they
also know that any new investment
widens the perimeter of the attack
surface and can bring in a number
of new risks and introduces further
fragmentation to their already complex
hybrid networks.
Most of the time, the CISO isn’t actually
saying ‘no’. What they’re saying is: ‘Let’s
take some time to make sure that this
new investment is properly secured and
doesn’t introduce unnecessary risk to
our organisation.’
And while they’re trying to say that,
they’re thinking about how that one
request and many more like it, are
adding a greater burden to their already
heavy workloads. They’re feeling the
stress. And this stress can make a
request to take a few steps back to
33