Unfortunately, some cybersecurity professionals approach their work with an “us against the world” mentality. They’re constantly frustrated because others within their organization don’t seem to understand why cybersecurity is important. They feel like they are always having to fight for budget, attention, and relevance, and it makes them defensive about their cybersecurity program and their own efforts to address security issues. Not only do they find themselves in an adversarial position with some business leaders, they think of vendors largely as a necessary evil that sort of helps them accomplish their goals as opposed to a potential partner in their endeavors.
As someone who has worked as a cybersecurity leader within an organization and as a vendor, I can tell you firsthand that such a mentality is one of the most dangerous ways to approach your work. If you want to build the kind of comprehensive cybersecurity program you envision, you can’t go at it alone. You’re going to need help from people outside of your department.
Two Ways to Create Partnerships that Bolster Your Cybersecurity Program
Here are two ways you can create partnerships within your organization that support the work you’re doing to build a comprehensive information security program:
Communicate One-On-One with Advocates Outside the Boardroom
I distinctly remember the first time I was trying to get a conversation about cybersecurity into the boardroom for the company I was serving as CISO. At the time, it was not common for cybersecurity to be a topic on a board agenda, and very few of my peers had found a way to get any visibility at the board level. However, I felt very strongly that the topic of cybersecurity was appropriate for the board of my company, especially given our industry and our objectives. Rather than pitching the idea to the CEO, I floated the idea by our company’s chief legal counsel, because he was the secretary of the board and had shown an interest in the legal aspects of cybersecurity in prior hallway discussions. Once I had seeded the idea of including cybersecurity on the board agenda with counsel, the next meeting I had was with the head of internal audit. She embraced the idea and immediately recommended that it be added to the agenda of the next Board Audit Committee meeting. When she called the legal counsel to encourage him to support the topic, he was already on board!
It’s been more than twelve years since that first board presentation, and the good news for cybersecurity leaders is that times have changed quite a bit. Nowadays, most boards include at least a few cyber-savvy executives as directors, and, given the intense visibility of cybersecurity issues due to breaches and legal regulations, many boards are proactively requesting cybersecurity briefings as a part of their regular meeting agendas. Even so, I still speak with a large number of cybersecurity leaders who haven’t been invited to share details of their programs with company executives or board members. If you are looking to elevate the conversation and visibility of cybersecurity into the boardroom at your organization, look for ways to obtain and leverage key advocates within your organization’s leadership team as supporters of your cybersecurity program. Don’t be afraid to talk one-on-one with influential company leaders to get their buy-in. Sometimes, it takes several individual conversations to generate enough momentum to create a tipping point within your organization.
Be Proactive About Sharing Your Objectives with Vendors
Another important facet of taking a partnership approach to advancing cybersecurity is to be open and honest with your vendors. Having experience on both sides of the table, I can tell you that this is one of the most important things a cybersecurity leader can do.
Because most cybersecurity professionals are, by their very nature, skeptics (after all, we’re wired to “trust no one”), a common mentality when interacting with vendors is to keep them at arm’s length and reveal minimal information about initiatives and program activities. While this, in theory, preserves the integrity of the cybersecurity program and minimizes the distribution of details that, if leaked, could be damaging, the problem with this is that if a prospective vendor does not have a clear understanding of your specific objectives, it will be very difficult for that vendor to truly represent how the product or service under consideration can best meet your needs.
When I was a CISO, I always tried to be proactive about sharing my objectives with our partners. My thinking was that if my vendors understood what I was accountable for accomplishing during the year, they could focus their efforts (and our discussions) on proposing only those products or services that were relevant to my initiatives. They might have the greatest software in the world, but why would I want to spend an hour listening to a pitch about something that isn’t going to support the objectives I was accountable for or that would fit within my budget? As a security leader, you are no doubt bombarded by nearly unending requests for your time to listen to a sales pitch. Many of those are unsolicited, of course, sent by desperate vendors hoping for a bite. You also likely have some vendor contacts that have shown a willingness to listen first and then offer solutions for your consideration. Those are the vendors worth your time.
Find a vendor who is willing to take a partnership approach and talk with them about the objectives you’re trying to accomplish. In those discussions, you should be doing 75-80% of the talking. After all, there is no way for the vendor to truly offer a viable solution if they don’t first clearly hear and understand your objectives! Based on that information, they should then share with you how they can provide you with some solutions that can address your specific challenges. And, when their solution isn’t a good fit, the best vendors will also offer to point you towards another vendor who can help.
Looking for a Trusted Partner That’s Been Where You Are?
As a team of highly-skilled cybersecurity professionals with years of security leadership experience, we are here to help. If you’re looking for a partner who will listen and can help you take significant steps towards achieving your key objectives, contact us today. You can also explore our Security Consulting services to learn more about the various ways we can help you with any aspect of your information security program.
This blog is the fifth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.