How to Get the Security Conversation Started at Your Organization
How to Get the Security Conversation Started at Your Organization
A lot of the time, people who make decisions around security aren't programmers or cryptographers. Learn how to discuss such topics with the C-suite.
Join the DZone community and get the full member experience.Join For Free
Protect your applications against today's increasingly sophisticated threat landscape.
Security is critical to any business operating in the cloud - in fact, it needs to be a top business priority for the reasons outlined below - and its importance leads many companies to serious conversations about it as early as Day One of operations (if not while the company is still in the planning stages).
If you're not proactively building out a security program from the earliest days, your turning point could come after a security breach.
But why live under the threat of an incident or put off implementing security measures until something bad happens? It's much wiser to take a proactive approach to reduce your organization's risk, and, as we point out below, to reap the other operational and business benefits that are directly connected to good cloud security.
Whatever motivates you to start a security program, the question is "How can you get the initial conversation started in a way that fosters an understanding of the real value of cloud security and wins you the support your project will need to carry it from a concept to an ongoing program?"
The good news is there are best practices that can help your program gets traction. In this post, we explore four that will help you successfully prepare for and manage the initial security conversation at your company.
1. Remember That Security Isn't Just About Security
It's important to convey to your organization that security is never just a cost (i.e., a necessary evil). A good security program pays back on several levels:
- It is a way of strengthening your overall security posture to protect your systems, critical assets, and customers.
- It can also be an opportunity to streamline and optimize your operations, particularly if you use security tools to automate your key workflows. This can enable you to operate more quickly, carry out operations more accurately, and ensure that security is baked into key workflows.
- In addition, security is a powerful business enabler that can open new market channels, provide competitive differentiation, shorten sales cycles, and actually help your business grow.
- Finally, cloud security, such as an intrusion detection platform, can address many of your organization's compliance issues.
The more clearly and convincingly you can articulate these benefits, the greater the likelihood that you will be able to address the needs and interests of stakeholders at all levels in your organization, establish the merits of your proposed program, and earn support for carrying it out.
2. Identify a Security Leader
You will also need a Security Leader (perhaps yourself) who can act as a primary point of authority to deal with the business, operational, security, and, perhaps, compliance issues that your stakeholders will want to know about and that will be major components of your security program.
For larger companies, you may already have a security leader. It's usually the CISO or security manager. But in smaller companies, where it's more likely that you have limited resources and don't have a dedicated security team, it is typically someone from IT or DevOps. That doesn't necessarily mean security becomes that person's full-time job. But it does mean that he or she becomes the point person for all things security related - including conversations around new initiatives.
Whether your Security Leader is a CISO or comes out of DevOps or IT, their responsibilities, especially at the early stages, will include more than just technical issues. They will also need to speak to the operational and business objectives that your proposed security program will help drive - not necessarily with deep knowledge, but with enough authority that they can address the questions that the stakeholders will inevitably have. They will also need solid project or program management skills, which include strong communications skills because they will need to ensure that stakeholders and others have the information they need to understand, support, or otherwise participate in the program.
3. Identify Stakeholders
As we pointed out above, security is about more than just security, and a cloud security program needs to meet the needs of all stakeholder groups. Therefore, you need to identify a circle of stakeholders who can support your Security Leader in a variety of specific ways, from providing a budget to ensuring communication throughout the company in order to make sure that everyone understands the what and why of security as well as their specific roles and responsibilities.
Broadly speaking, there are usually six main stakeholder groups: investors, board members, and C-Level executives; CSOs and CISOs (if you are a larger organization); Development; Operations; end users/customers; and we could add compliance regulators as well. Clearly, not all of these will apply to every situation, but be crystal clear in identifying individuals and groups who do need to know about your proposal. And be sure that you have drilled down to identify the specific concerns, questions, and objections they are likely to have.
By being able to describe the unique values that your program will deliver to each stakeholder group, you will put yourself in a strong position to overcome objections and enlist support. You will be able to help stakeholders see that something that might first appear as a security expense can now be regarded as an investment that addresses the concerns of multiple areas in the company and collectively brings about stronger security as well as greater organizational effectiveness, efficiency, and profitability.
4. Prepare for the Initial Conversation
Now you need to prepare for the first conversation with the stakeholders, and a good way to structure it is by following these basic rules:
- Do: Focus on the business issues that are central to your audience's interests. Explain how cloud security will act as a business enabler that will help the organization achieve its top business objectives. Do the research to identify benefits that are specific to your organization's goals.
- Do: Be specific and detailed. Develop a detailed case that outlines, with examples and cost projections, precisely how cloud security will generate ROI.
- Do: Prepare a high-level overview of how you intend to address cloud security issues that are specific to your company by answering these questions:
- What types of data or information must absolutely be protected above all else? Are they being protected adequately today?
- What security failures would put the company in the most danger?
- What are the organization's current goals related to cloud security, and are we meeting these goals?
Clarifying priorities will help stakeholders see that all the bases are covered in your strategy and that the most at-risk areas will be dealt with first.
- Do: Be aware of the different vested interests each stakeholder will hold. Each stakeholder will have different ideas about what is most important to the program based on their own goals and drivers. For example, management will be driven by business-level goals, security leaders will be driven by managing risk, and DevOps team members will be driven by increasing operational efficiency. Understand and align these different goals up front.
- Do not start by focusing on technology: The C-Level stakeholders primarily know and care about business. Down the road, when your security plan has been authorized, you'll need to provide technical details. But at the outset, your audience wants to know about the business benefits, your view of security priorities, and less so the means (i.e., the underlying technology).
While your stakeholders may be enthusiastic about the benefits you've outlined, they may still have questions, reservations, or outright objections to parts of your proposal. So do your research on objections that are likely to be raised, and be prepared with empirically based responses along with case study examples to overcome your audience's concerns.
Stakeholder buy-in is a foundational part of your cloud security proposal. Prepare thoroughly to win buy-in and don't start anything else until you have obtained it. Remember, the more convincingly you address your stakeholders' concerns, the more likely you will secure their initial buy-in as well as their ongoing commitment.
If you are well-prepared for the initial security conversation at your organization, you will be on the path to earning stakeholder buy-in and ongoing support. At the end of the day, with proper planning, your security discussions will not only lead to a program that strengthens your organization's security posture, but also helps it optimize its operations, and, at the highest level, give it a competitive advantage by taking advantage of operating at speed and scale in the cloud.
Published at DZone with permission of Travis Wilkins , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.