Why Security Practitioners Should Understand Their Business
Not too long ago, cybersecurity was seen as something separate from the rest of a business (think two guys in hoodies working in a separate room). But in the past decade, it has finally received well-deserved and long-needed recognition and attention. An increasing number of companies are hiring chief information security officers (CISOs) to help shape their overall business strategy, making security a top priority for corporate boards of directors. On their end, CISOs are starting to understand and outline the role of security as a business enabler, not as a department of “no.”
Things are evolving, and it is exciting to witness these changes, although there seems to be an important gap.
Much of the discussion about the evolving place of security in business is centered around the role and ever-expanding responsibilities of CISOs: recruit and grow high-performing teams, build relationships with leaders from other departments, communicate and manage up and across, enable the business to achieve its goals and objectives, and the like. What is missing in most of these conversations are security practitioners and how important it is for them to understand the business side of security.
There are two important reasons why having CISOs be the only people who think about business won’t work well: 1) Without an understanding of the business, it is hard for security practitioners to do good work securing it; and 2) without an understanding of the business side of cybersecurity, it is hard for technical security professionals to be effective in building the future of the industry. Let’s take a closer look at each of these factors.
You Can’t Secure What You Don’t Understand
Every organization’s environment is different. There are different tools and applications used by employees, different ways people collaborate, different types of data companies collect, and most importantly, different crown jewels that need protection. Many (I would even say most) of these differences are direct results of the business the company is in. A fridge manufacturer has different types of risks and different types of parties with access to its data than a marketing agency or a biotech lab would.
Every day, security professionals are making decisions that impact their organization’s security posture; they cannot rely on CISOs to be the only people with critical knowledge about the business. Understanding how the company generates revenue, how salespeople share information with one another and with their prospects, how finance teams access information when working remotely, and how vendors get paid is critical to properly securing the organization’s environment. Statistically, it is more likely that a company will suffer a breach because of how some department has set up its business process, not because of the latest zero-day found by Apple (although learning about the latter might rightly be more exciting).
You Can’t Innovate What You Don’t Understand
Not all security practitioners should become entrepreneurs, but some inevitably will. Future cybersecurity founders typically spend many years in the industry before finding a painful problem worth solving and building a determination to go do it. This means that by the time they launch a startup, security entrepreneurs have a deep understanding of the technical side of the industry. Unfortunately, the same isn’t true about the business side of cybersecurity.
Staying curious, asking questions, and building relationships with people from other parts of the company helps future founders and security leaders with the following:
- Understanding how the purchasing process in organizations works, who is involved, and how the decisions are made.
- Building an understanding of what areas of a business are being overlooked by current security solutions, and what problems haven’t been solved yet.
- Developing a broader view of what it takes to run a company, and how different functions contribute to the overall success.
- Getting a broad view of different types of companies, different revenue models, and organizational structures, and how these factors impact business outcomes.
While understanding the business of the organization one is trying to protect is critical to building the right defensive measures, knowing what the business side of cybersecurity looks like is useful to make sure that founders won’t get excited about technology so much that they forget that there needs to be a sustainable business model for the company to grow.
Looking Into the Future
There was a time when software development was where security is today, with engineers not having to think about the business side of things. A product manager would bring the requirements, and developers would turn them into working software without asking any questions. Nowadays, product development is seen as collective problem solving — developers, designers, and product managers work together to achieve business goals. For that, product people need to understand the basics of technology, and engineers need a strong grasp of the business their company is in.
The sooner security practitioners become more proactive in understanding the business side of the organizations they are hired to protect, and the industry overall, the better they will be able to do their jobs, and the more likely they are to build the innovations that change the way things work in the industry for the better. While nobody will expect them to get MBAs, every security practitioner would benefit from getting some visibility into areas like marketing, sales, customer service, finance, operations, and the like. After all, business processes are where many vulnerabilities come from.