Information security leaders are increasingly expected to consider business impact and mission as part of their strategies for securing systems and data. This has contributed to the decision of many organizations to appoint a business information security officer who works in tandem with the CISO.
But one question that emerged during the keynotes at the InfoSec World 2022 Conference was how much detail about business priorities should be pushed to security teams.
NFL CISO Tomás Maldonado said he believes transparency with security teams is the responsibility of the security leaders who fought for their seats. for business decisions.
“I encourage my team to meet peers within the peer group of the organization. And when I say peers, I don’t mean IT. please,” he continued. “Establish those relationships. Talk to business stakeholders to understand why they’re joining a new initiative. Eventually, pick up the phone, call that partner, and say, ‘Hey, You need to be able to say, ‘Look, this is what’s happening.’ And I believe this is the impact on your business. Such a collaborative culture is very important. ”
Salesforce calls this concept of awareness “strategy to task.” It’s a philosophy put forward by former CIA CISO William MacMillan, who joined Salesforce in May as senior vice president of security product and program management. Step 1: Have the security guard sit at the table. Step 2: Help multidisciplinary teams understand the mission.
“If you’re thinking about developing apps, we need to be there. If you’re thinking about acquiring other technologies or companies, we talk about it because it affects internal operations. These are It’s something security teams need to understand,” said Maggie Amato, head of business information security at Salesforce. Instead of that understanding, her security team is facing what Amato describes as “Groundhog Day.” What is the purpose of a particular initiative? It is neither productive nor empowering.
“Everyone needs to understand where we are going,” she continued. “What is Salesforce? What do you want to be when you grow up? We are a huge company. But what is the North Star? How does all the business work together?”
Executing strategy in a vacuum creates a unique set of risks for companies, especially those with complex organizational structures. At Salesforce, for example, all new acquisitions of software companies are called “clouds,” and each cloud has its own business information security officer. The company also has a Chief Trust Officer who oversees not only information security, but also data governance and risk. In particular he reports to Amato, the chief trust officer in a dotted line to her CIO as her BISO for all employees within Salesforce and its 80,000 employees and business his partner. .
Compare that to the NFL. Maldonado reports to his physical security team, who in turn reports to the general counsel. Within the security team are his four leaders reporting to Maldonado, responsible for governance and compliance, risk management, security, architecture and engineering. About 40 people are wound up in those individuals. Beyond that, there are 32 clubs operating up to the NFL. With no direct command and control over the security environment, Maldonado relies on the league’s greater vision and recognition of priorities to drive its overall security efforts.
“Not just because Thomas says you have to, or Joe Business says you have to,” he said. “Instead, if you turn on the TV on a Thursday night and watch a football stream, you see the translated value.”
Such top-down business transparency extends beyond the big picture of business milestones to more subtle disconnects between teams that can hinder productive partnerships. Amato believes leaders “need to convey political nuances.” Which mines should you avoid? ”
“When I first joined Salesforce, there was some friction between the trust organization and IT. It was my fault,” she said. “It’s not the way to win business.”
Conversely, Amato flagged when certain business teams felt “hurt by previous security teams” who agreed to “unculture” throwing roadblocks. That’s also not the way to win business.
Now, at Amato, the CIO, Chief Trust Officer, and their direct reports sit down every two weeks to discuss disconnects and find common ground.
“Again, it’s a culture of trust,” she said. “I have the power to say no to the security team and I have the power to say no to the business, but only because I work to bring people together and understand each other.