One of the challenges that IT risk management and information security teams face in their efforts to protect the enterprise is that company-wide security practices and requirements are often looked upon as a hindrance to organizational agility and innovation.
One of the ways that security and IT teams can strike a balance between agility, innovation and security is for members of both teams to develop a deeper understanding of what internal customers (employees) do so that they can provide value as trusted advisors with application development and other corporate functions and business units to help each of those groups to reach their objectives, said Matt Davies, Sr. Director, IT Risk Management and Cybersecurity at Ciena.
For its part, Ciena's IT risk management and cyber security team is also constantly looking at new technology and trends. In particular, his team is evaluating and identifying where machine learning (ML) and artificial intelligence (AI) technologies can be leveraged to analyze data and improve the services it delivers to its customers, Davies adds. This is consistent with the recent McAfee Labs note in its 2018 Threat Predictions Report which stated "Fortunately, the use of emerging technologies such as artificial intelligence (AI) and machine learning can help to augment IT risk management and information security teams by identifying potential threats and suspicious behavior and correcting vulnerabilities faster and more accurately, thereby enabling these teams to become more agile and innovative."
Understanding the Human Factor
When striving to strike a balance between agility, innovation and security, it's imperative for CISOs and information security leaders to look closely at the "people" factor. After all, the motivations and behaviors behind the actions that people take in the workplace can have a dramatic impact on an organization's ability to be nimble and inventive.
"Talent is a critical component for orchestrating success across these areas," said Davies. "You need to be able to attract, develop and retain talent."
Davies offers a few key considerations for CISOs to examine:
- Reach out to and partner with local colleges, universities and educational institutions. Hire interns or new grads for fresh ideas, skills and perspectives. And be sure to provide them with the training for skills that your organization either needs now or will in the future.
- When recruiting for the security team, look for people with an "innovative mindset," said Davies. "Successful companies seek out individuals who are constantly looking for better ways to run the business."
- Employee development is equally important. "We want people who are interested in continuously learning and finding ways to improve our environment and/or our services," said Davies.
- Finally, strong communication and interpersonal skills are both extremely important. "It's not enough to be a technology expert," said Davies. "Security professionals need to be able to clearly understand and communicate the risks the company is facing and identify the steps that can be taken to mitigate or manage those risks in terms that executives and employees understand."
The human factor in bridging innovation and security also pertains to cultivating a security mindset across the enterprise. "Developing a 'security mindset' needs to be part of the organizational culture," said Davies. "CISOs and their security teams need to be able to educate employees to help them to understand how to identify and report potential social engineering attacks."
Davies points out that it takes time to develop this mindset. "It begins with education and helping everyone in the company understand that they have a role to play in protecting the organization's information assets."
It's also important for CISOs and security teams to provide regular security awareness education that can have the greatest impact to help keep the security mindset top-of-mind for employees throughout the company. You need to constantly review the threat landscape to understand the latest attacks to ensure that the training is updated so that employees are educated and prepared to help protect the organization. The focus of the training needs to be on influencing behavior. The content is important but it is also critical to review current and test out new communications techniques such as gamification, interactive training, etc.
"This is an area where we continue to explore if there are better ways to enhance our awareness training from either a content and/or a delivery perspective," said Davies.
It's also important to remember that you can't manage what you don't measure. "Be sure to have metrics in place to measure the results and assess the effectiveness of your awareness campaigns," said Davies.
In order to instill a culture of innovation among corporate IT risk management and cyber security teams, it's important to communicate that each team member plays a critical role in contributing to and strengthening an innovative culture.
Team members should also be urged to share new information they've learned or come across for the team to explore. "Every time someone from my team attends a training event or a conference, they are encouraged to share what they've learned and also to identify if there is something we as a team should investigate," said Davies. "A culture of innovation is about a mindset of continuous learning and improvement."
Ultimately, achieving harmony between agility and innovation with security practices is a matter of symmetry. "The key is balance," said Davies. "You need to be able to help the company to execute its strategy while managing risk appropriately to gain a competitive advantage."
To learn more about other world-class security leaders like Matt Davies who are in the HMG Strategy network, check out the agenda for our upcoming 2018 San Francisco CISO Executive Leadership Summit taking place on March 16, 2018 at the Fairmont San Francisco along with the star-studded speaker lineup for the 2018 New York CISO Summit taking place on April 5, 2018 at The Grand Hyatt New York.