Why security professionals should understand their business
Not long ago, cybersecurity was seen as somewhat separate from the rest of a business (think two men in hoodies working in a separate room). But in the last decade it has finally received the well-deserved and long-needed recognition and attention. More and more companies are hiring Chief Information Security Officers (CISOs) to help shape their overall business strategy, making security a top priority for corporate boards. On their side, CISOs are beginning to understand and outline the role of security as a business enabler rather than a department of “no”.
Things are evolving and it’s exciting to witness these changes, although there seems to be an important gap.
Much of the discussion about the evolving importance of security in organizations focuses on the role and ever-expanding responsibilities of CISOs: recruit and grow high-performing teams, build relationships with leaders from other departments, communicate and manage across-the-board, enable the company to achieve its goals and objectives, and the like. What’s missing from most of these conversations are security practitioners and how important it is for them to understand the business side of security.
There are two major reasons why it won’t work well when CISOs are the only people thinking about the business: 1) Without an understanding of the business, it’s difficult for security professionals to do a good job of securing it; and 2) Without an understanding of the business side of cybersecurity, it is difficult for technical security professionals to effectively shape the future of the industry. Let’s take a closer look at each of these factors.
You cannot secure what you do not understand
Every organization’s environment is different. There are different tools and applications used by employees, different ways of collaborating, different types of data companies collect, and most importantly, different crown jewels that need to be protected. Many (I would say most) of these differences are direct results of the business in which the company operates. A refrigerator manufacturer has different types of risks and different types of parties with access to its data than a marketing agency or biotech lab.
Every day, security professionals make decisions that affect their organization’s security posture. You can’t rely on CISOs to be the only people with critical knowledge of the business. Understanding how the company generates revenue, how sales reps share information with each other and prospects, how finance teams access information when working remotely, and how vendors are paid is critical to properly securing the company’s environment. Statistically, a company is more likely to suffer a violation because of how a department set up its business process than because of who latest zero-day version found by Apple (although learning about the latter might justifiably be more exciting).
You cannot renew what you do not understand
Not all security professionals should become entrepreneurs, but some inevitably will. Aspiring cybersecurity founders typically spend many years in the industry before finding a painful problem worth solving and developing the determination to tackle it. This means that security entrepreneurs have a deep understanding of the technical side of the industry at the time of launching a startup. Unfortunately, the same cannot be said for the business side of cybersecurity.
Staying curious, asking questions, and building relationships with people from other parts of the organization will help future founders and security leaders to:
- Understand how the purchasing process works in organisations, who is involved and how the decisions are made.
- Build an understanding of which areas of an organization are being overlooked by current security solutions and which issues remain unresolved.
- Develop a broader view of what it takes to run a business and how different functions contribute to overall success.
- Get a high-level view of different types of businesses, different revenue models, and organizational structures, and how these factors impact business outcomes.
While understanding the business of the organization you’re trying to protect is crucial to building the right defenses, knowing what the business side of cybersecurity looks like is helpful to ensure founders aren’t as enthusiastic about technology that they forget that In order for the company to grow, there must be a sustainable business model.
view in the future
There was a time when software development was where security is today and engineers didn’t have to think about the business side of things. A product manager would bring in the requirements, and developers would turn them into working software, no questions asked. Today, product development is viewed as collective problem solving – developers, designers, and product managers working together to achieve business goals. To do this, product specialists need to understand the fundamentals of the technology, and engineers need a strong understanding of the business in which their company operates.
The sooner security practitioners become more proactive in understanding the business side of the organizations they are hired to protect and the industry at large, the better equipped they are to do their jobs and the more likely they are to create the innovations that will transform security how things are going for the better in the industry. While no one expects them to receive MBAs, any security professional would benefit from gaining insight into areas such as marketing, sales, customer service, finance, operations, and the like. After all, many weak points arise in business processes.