Cybersecurity has a huge impact within an organization. Initiating and launching programs requires company-wide dedication and buy-in to prioritize these projects and quickly respond to threats. How can IT and security work together and what goes into getting the board of directors on board? We recently discussed at CMMC CON 2023 these issues with Eric Liebowitz, Thales North America CISO, and Sashi Chandrasekharan, Stellant Systems CIO, who offered insight into a company’s best path forward.
Both Eric and Sashi are experienced cybersecurity professionals. Eric has spent nearly two decades in the cybersecurity space and possess experience building and maturing information security programs for large financial services and technology organizations. Sashi has 26 years of experience in manufacturing organizations and served as Director of Digital and IT at Parker Hannifin and Leader of Digital CX and Data Analytics for Aerospace Group.
Practical approach: Security should come first
“Security is the foundation of anything and everything we do,” Sashi states. “It’s not about checking the box. My security team has to convince me that an action is the right thing to do for the business. When we do the right thing for the business it becomes an easy sell for our organization to adopt. We need security to make sure we are keeping our company safe and IT is all about productivity. Both are critical to running the business.”
Focusing on requirements can help your company align with that foundation—and the resources and business cases flow from understanding that. Eric shares, “We have a process to take business requirements in and balance them with IT requirements. We value score by examining different criteria. Does an action make the business more productive? Does it reduce headcount cost? Is it helping with compliance? There’s no unlimited budget—so we have to work within some constraints. In certain cases, especially when it comes to compliance, these initiatives move to the top of the list.”
Importance of alignment with Board of Directors
It’s critical for your IT and security departments to be on the same page as your board. Selecting discussion topics for a board meeting and crafting the right approach can help build consensus and pave the way for advancing important cybersecurity projects.
“In manufacturing, they always say the first slide should be about security. I make sure that the board is aware of our security status upfront,” Sashi says. “I create the content in such a way that the board sees the financial outlay and the results.” He then presents some of the data points to illustrate the full closed loop process of catching an issue, launching a fix, mitigating impact, and making sure that it’s not going to happen again. “I discuss the constant continuous improvement process to show how the company will continue to strengthen its posture. The rest of the conversation becomes easier once the fear is gone.”
Sharing information about what security is doing, how success is measured, what projects are on the docket, and the value that the company is getting are all important. “We’ve shifted the conversation to risk management,” Eric continues. “Instead of talking about vulnerable systems and patching, we ask business leaders what the business impact would be if the data on that server or in that application was exposed publicly, or if that application was offline for four hours or 24 hours. When you start talking at that level, people start paying attention as financial or reputational risk is really important to the business.”
Another way to achieve this goal is by creating a business or a security liaison role that is a person who understands the diverse requirements, and who can bridge the gap between security or IT and the business.
Ensuring security has a seat at the table
“My first question when someone approaches with an issue is, ‘Did you talk to security?’ Then I create teams where I assign a security person as a main contributor or as a partner depending on the project. Sometimes this person is placed in an uncomfortable position asking uncomfortable questions and wanting to be perfect,” explain Sashi. “That’s when I come in and say, ‘okay, what’s the risk if we don’t do this?’ Then I either assume that risk myself or I’ll put that in front of the management team to help decide. All this happens very transparently. That’s how we build synergies between IT and security.”
What good looks like is when you can’t tell the difference between security and IT, it’s just embedded in your leadership style. It’s when security and IT are working together as one team. Security should be in the background and it should work every time, providing risk management, helping employees do the work that they need to do as quickly as they can and as safely as they can with minimum disruption.
“The cost is significantly higher if security comes in at the end to say, ‘Here are requirements that you should have thought about’”, Eric states. “It is a culture shift to get everybody together at the same time. When that doesn’t happen, projects take longer and cost more—and they face risk of internal or external auditors coming in and issuing findings afterwards.
“Security is like the brakes on a car, which are there to help someone go as fast as they need to go until they get to a curve or, in the case of a business, an area of risk, and then slow down just enough to navigate that risk or that curve and allow them to speed up again. If security is seen as an impediment to getting things done, people will find a way to go around it and that’s not where we want to be,” he concludes.
Remember that there is no compliance without IT and security. If you need help aligning your IT, security, and compliance objectives and executing on your plans, contact the experts at CyberSheath.