How to Turn the CISO from “Dr. No” to a True Business Enabler

The world is not only getting smaller, it’s getting faster. CEOs everywhere are singularly focused on business agility, innovation and competitive advantage to drive growth and profit. And they’re looking to the office of the CIO for help. I don’t care what business you’re in; technology is the new battleground—and it’s the key to winning the war.But here’s the challenge: at least 80 percent of the typical company’s IT budget is dedicated to simply keeping the lights on – maintaining the status quo. Precious little is left over for new business initiatives like mobile and big data.

Thankfully, the CIO now has a powerful ally to begin transforming IT into a catalyst for growth: cloud computing. By getting rid of expensive physical data centers and paying for only the infrastructure that you need, when you need it, there’s an enormous opportunity to convert operating money into innovation. The business benefits of moving away from physical data centers to the cloud are simply too compelling to ignore.

The movement to the cloud has enormous potential, but it’s also a hugely disruptive shift in the way businesses operate. And that’s made it increasingly difficult for IT to track and manage their assets, and maintain a secure technology environment.

So how is the role of the CISO changing in this brave new world? Traditionally, CISOs were the “Dr. No” of the organization, and with good reason. We’ve trained security leaders to be risk-averse, methodical and conservative. No one applauds the CISO when nothing bad happens, but the CISO is always the first to be blamed when there’s a breach.

As a result, Dr. No delivers steady resistance to business leaders, which is counter-productive to the growth mandate (not to mention career limiting). In response, many business units simply pull an end-around on IT by contracting with outsiders for elastic IT services (shadow IT), further complicating the landscape.

What if there was a different vision for the CISO? One that enabled them to say “Yes” more often than “No”, a vision that positioned security as more than just an operational tax on the business?

Is it possible for the CISO to be a true business enabler? The answer is an unequivocal “Yes!” Here are some initial steps to consider in mapping out this transformation:

  • Commit to change. Recognizing that change is beneficial is the first step to meaningful transformation. Commit to becoming an agent of business enablement – and mean it. Let people know your intentions, you will be amazed at how many folks want to help.
  • Speak in the language of the business, not the language of security. Too often, IT leaders and CISOs end up alienating their “C-Suite” brethren by diving into minute details that only security folks can understand. Instead, keep your communications with other executives short, speak plainly and use language that is relevant to the business. Point out ways that you’re enabling rapid time to market for new customer offerings while securing the business at the same time. Eliminating risk and preventing expensive data breaches are fast becoming business imperatives. Take up the flag and explain in plain language how your team is delivering.
  • Enable the business so they don’t run in the shadows. Embrace the business drivers that cause shadow IT: the need to move faster, be more agile and innovate. Make it safe for the business to leverage cloud and virtual technologies (see below). Monitor progress and provide the tools the business needs to succeed; this will bring them out of the shadows.
  • Choose a cloud security platform that supports business growth. It’s clear that traditional, perimeter-based security models don’t work in cloud infrastructure environments. If you’re investing in private or public cloud, pick a security solution purpose-built for the cloud that moves security to the server (VM). There are a growing number of these products on the market, so how should you evaluate them? Here are 5 essential ingredients that will not only keep the business safe, but allow you to become a business enabler:

    On Demand: Modern cloud security solutions must be able to be switched on, instantly. It should take just minutes to set up and configure non-intrusive visibility and protection – at the virtual machine (workload) level. This contrasts with traditional software or security appliances, which often take days or weeks to configure and get running. The solution must also be able to run in “read-only” or audit mode, making it ideal for visibility and compliance use cases.

    Comprehensive: Your cloud security solution should be ‘always-on’ and provide a full suite of security and compliance capabilities including: workload firewall management, multi-factor network authentication, configuration security monitoring, software vulnerability assessment, intrusion detection, file integrity monitoring and more. Many offerings on the market today only support some of these features.

    Works Anywhere:Moving from physical data centers to cloud technologies won’t happen overnight. And most companies are investing in cloud technologies from multiple vendors. This makes good business sense as the market matures and you spread risk around. You certainly don’t want to be locked into a single cloud provider that may, one day, be surpassed in features, performance or reliability. So choose a security platform that is agnostic to the infrastructure it runs on. It should give you visibility and enforcement in any environment: virtual data center, private cloud, public cloud, or mixed (hybrid).

    Operates at Any Scale:Pick a cloud security solution that provides hands-free security automation and orchestration that’s built-in, making it fast and simple to provision elastic compute needs for the business, at any scale. If the platform uses an agent model, check the size of the agent. If it’s larger than 6MB, beware; the solution will not scale. Ensure that the platform supports full automation and orchestration capabilities, making it faster and easier to support fully elastic infrastructure needs.

    Invest in a Platform, Not a Feature:Choose a security platform, not a security feature. Vendors come out with new features all the time, oftentimes leap-frogging each other. Future-proof your decision by examining how fast new features come to market, and how disruptive they are to existing implementations. Make sure the platform itself is architected to scale and that it is fully integrated through open APIs with the virtual infrastructure tools you already use today.

The bottom line? The role of the CISO is transforming – fast. The catalyst for this change is the dramatic shift to cloud computing as a vehicle for business growth. Modern CISOs need to embrace this movement. The good news is that best practices are emerging to help turn the CISO from “Dr. No” to a true business enabler.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts