Today’s complex threat landscape means security needs to be top of mind for companies of all sizes. Protecting your organization and customers from threats requires taking security from the backroom to the boardroom. While your C-suite may not be as deep in the security trenches as your security team, leadership needs to care and is critical in helping organizations implement a successful cybersecurity strategy. Whether you’re a CISO, CEO or anything in between, we all have to work to do when it comes to ensuring security is a top business priority.
An effective security strategy means security should not be tacked onto a business strategy as an afterthought, but should be a key factor for determining how the company operates. Practitioners can’t simply serve as security subject matter experts; the role of the practitioner is to educate management on the risks and ROI of a sound security strategy, and back it up with hard data to ensure the company is appropriately investing resources into security.
But how do you get leadership to revisit or modify a security strategy before an issue arises? I want to share a practical guide for getting the C-suite aligned with the security team. What will resonate most varies by role, so I’ve included commentary below from several of my colleagues at Juniper Networks, including our Chief Information Officer, Bob Worrall, our Chief Marketing Officer, Mike Marcellin and our Chief Financial Officer, Ken Miller.
Use Your Security Officer as Your Link to the Executive Team, Partners and Customers
As Juniper’s Chief Information Security Officer, I’m responsible for driving the security strategy needed to effectively protect Juniper’s computing infrastructure and the sensitive information that our customers, partners, suppliers, and employees have entrusted to us. In order to effectively do so and move the needle, it is our job to arm the executive team with data, actionable recommendations and proposed solutions rather than focusing on problems, whenever possible. And if or when that’s challenging, tap your CIO or CTO to serve as your connection to the broader executive team.
Tailor the Conversation to Your Audience
Whether prepping your security team or connecting directly with the broader C-suite, speaking the language of leadership is critical when it comes to aligning on priorities. Forget fear mongering to escalate security needs and, instead, relate security back to business objectives. Connect a security breach to the bottom line, product performance and brand reputation—with data—and you are more likely to catch the attention of the C-Suite while also better aligning the security team with the rest of the company.
Even better, tailor data and break down your request or recommendation for specific departments, from IT to finance to marketing and everything in between. For instance, to resonate with IT, Bob Worrall, our CIO at Juniper Networks said, “I’ve learned that very few problems that occur in IT are solely technology problems, and most can be solved with money, time and people. I recommend that the security team provides me with a holistic recommendation that looks at all three rather than merely requesting to purchase the latest tool.”
Our CMO, Mike Marcellin added, “It’s important I understand our company’s unique security risks, processes and needs so I can elevate the conversation with customers and further demonstrate investment in safeguarding their data and businesses. In a recent survey we commissioned with Loudhouse Research, we found that consumers value trust and security/compliance first and foremost from businesses. As we head further into the next digital era—the era of Digital Cohesion—business aspirations must shift from being the ‘best’ to being ‘trusted.’ To best evolve marketing strategies to cater to this customer value, it is vital that security teams communicate with me and my team of marketers about the ins and outs of our security program and efforts. By collaborating, we can create a unified voice and presence in the marketplace and address common customer challenges.”
Remember It’s Not Just What You Spend, But How You Spend It
Like most organizations, at Juniper Networks, there is not a single customer conversation or board meeting that happens where security isn’t discussed. The good news is the C-suite tends to be on board with strategic security investments. Ken Miller, our CFO, noted that “when it comes to IT spending, the mantra is usually ‘do more with less,’ but that isn’t true with security. The percentage of IT spending on security will only continue to grow as we face increasingly sophisticated threats—the mantra may become ‘do more with more.’”
Rather than organizations throwing their collective hands in the air in frustration over how security dollars are allocated and spent, it’s more productive to provide rationale for a different approach. Whether it’s automating policy enforcement to free up teams for more strategic analyses or pooling threat intelligence with other companies’ data to strengthen your defenses, security practicioners may find themselves surprised with the receptiveness of leadership to change.
Create Security Champions Within Your Organization
It’s about more than getting leadership on board. Security pros should look for people who are passionate about security across departments and enlist their help in becoming ambassadors for the wider team. Not only can they advocate for security in their respective departments, but they can also provide transparent feedback to the security team into the realities and pain points of their teams, allowing the security group to adjust strategies as needed.