Security maturity, as cliche as it sounds, is a journey – not a destination. Security is never “done”; there is always more to be done, new technologies or processes to secure, evolving business objectives with which to align.
The great part about being on the security team is that you don’t have to be the CISO, or Chief Information Security Officer, to make some real changes. If you’re a dedicated security professional, you can absolutely help guide how security is implemented in your organization, as well as how security is perceived. Not only are these activities good for the company as a whole as well as the security team – your good work is often reflected back on you, personally – and can help you in your professional journey.
So how can you impress your CISO and help your organization become more secure at the same time? Let’s look at some of the proven ways to win your CISO over – and make yourself and the security team look like total pros.
1. Understand that your CISO has a need to map every security objective back to the business objectives
This is most likely the most crucial part of the CISO position, and can often also be the most difficult. The role of the CISO has a responsibility to manage every intersection security has with the business, including in operations, shareholder value, and even protecting the brand. CISO’s are also required to map every security practice, tool, and procedure back into business terms that can be explained to the board and other stakeholders.
As a security professional, you understand fully why certain security protocols may exist – but they may not be so easy to explain to business-oriented stakeholders. You can help your CISO tremendously by adding business context to your discussions. This is especially important when it comes to attaining the budget your team needs – without mapping your needs to the organizations’, the full security budget may be slashed. But by presenting your case with proper data and by mapping security to the business goals, your team and your CISO will have a much easier time explaining what your team does.
2. Help your CISO plan better by keeping them updated on the security team
Your CISO may not work on the security team day-to-day and they may not know what security is up to on a daily basis – but it’s still important to keep them updated on what you’re working on and to have regular security discussions.
If possible and if not already occurring, try to make a weekly, bi-weekly or even monthly meeting between the CISO and security team. In these meetings, make sure that giving and receiving feedback – on both sides – is on the agenda each time. By having clear communication with your CISO, you’re helping each other and creating an environment for a strong relationship between the CISO and the security team.
3. Learn what compliances your organization needs to adhere to and if your organization is taking all steps to adhere to them
Adhering to relevant compliances and regulations have become increasingly important for organizations to succeed and compete in the market. While some parts of the regulations adhere to privacy or other areas of the business, a major part of many regulatory requirement rules over security procedures and protocols. If you have a CISO, he or she will most likely have a grasp on the regulations that apply to your organization, but there is always room to improve the processes around how the compliance regulations are handled where it comes to security.
Whether your organization handles credit card data, enforced through the PCI-DSS, or whether you handle medical data, which legislates security activities through HIPAA, you can help your CISO succeed in your organization by helping detect areas that aren’t fully compliant.
Especially important is preparing for the next version of a compliance as well as new regulations, such as the GDPR. If your organization hasn’t yet prepared for the GDPR, for example, which applies to any organization with client’s or data based in the EU, you could help your CISO tremendously if you map out what the GDPR mandates in terms of security and how the security team is handling it – or recommend how it should look like.
4. Help promote security awareness throughout the organization by identifying security champions among your organization’s development teams
Every company is in their own stage of security awareness, and you can help push your organization forward. One helpful step for many organizations has been identifying “security champions” among the various departments. Security champions are non-security team members who show extra interest in helping the security team. Champions are especially important on the development and operations teams, which can help create a more collaborative relationship between Security, Dev, and Ops.
Traditionally, the security team has often been seen as a block – to innovation, to speed, to growth. Security has historically been a ‘No Man.’ By engaging your security champions in ways they find meaningful (examples include inviting them to OWASP meetings and giving them a seat in your security discussions), you can forge a new image for security which helps break down the traditional siloed structure and how the security team is viewed among the organization.
5. Find better ways to communicate with development and operations teams – especially if your organization has embraced the DevOps methodology
DevOps is embraced in one way or another by 88% of organizations today – or plans to be within the next five years, per a recent study. If you aren’t familiar with DevOps, it’s time to learn. Because while DevOps can be great at fixes a lot of the issues related to lack of solid communication between teams, it can also be a way of pushing security into obscurification. In organizations where security isn’t tightly integrated into the DevOps processes, or uses security tools that don’t integrate into development and operations platforms, this is likely already the case.
You can help pioneer the change in your own organization, because as research has shown, DevOps, which becomes DevSecOps when security is given an equal seat at the table, is good for business. And there are plenty of organizations who do DevSecOps well. Keep your team relevant by identifying the tools, processes, and integrations that could be implemented to help DevOps in their goal to become faster and more productive while maintaining a high security posture.
6. Help your CISO with risk management by keeping risk assessments up-to-date
Many a breach has been accomplished by rogue applications or networks being taken over that haven’t been used in years. Often risk management is the CISO’s responsibility, but proper risk management requires consistent upkeep, often falling outside the CISOs
purview. Keeping a detailed inventory of your assets and mapping them to specific security controls will make your annual assessment that much simpler. By keeping them up to date, you’ll be able to immediately reference this information should any breach or incident take place, and your team will have a much easier time collaborating with development and operations if you have a full comprehension of the risk platform for a given project.
7. Discover better ways to educate different departments about security
We touched on the importance of having security champions among developers earlier. Equally important is the need for effective security training and education throughout the other departments, as well. There are so many different areas and practices to cover that it’s unlikely you’re covering all your bases. Find out, using your knowledge of the threat landscape, how threats are prioritized and understood by relevant departments, and what is being done about educating employees. You will most likely be able to identify gaps – sometimes major – about what is being taught and how employees are applying their training and education.
For example, email phishing is always a major concern for non-security employees, but what about drive-by-attacks? Do your database admins understand the prominence and dangers of XSS and SQL injections? Does your finance department (or any employee for that matter) understand what a spear-phishing attack looks like? Identifying the blind spots and helping your CISO find ways to cover them is a huge win for the organization as a whole.
In the end, helping your CISO and organization’s security posture is a commitment to your craft that will often pay off big time in the end. Because not only will you have a much better understanding of the work that CISOs do and what they’re charged with, you’ll be seen as a supporter of innovation and the organization as a whole.
Get even more proactive with The Ten Commandments of Proactive Application Security!
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017