The success of a security program is largely determined by how well it is integrated into the fabric of the organization, in terms of breadth of coverage (how widely it is integrated) and depth (what is the quality of that integration).
We often talk about how security needs “a seat at the table”, in other words, whether the security team is a full peer in the key decisions of the organization. Less talked about is how to get that seat at the table. There are usually 3 ways:
Kick some doors in and sit down at the damned table and make your presence felt. This, naturally, requires a certain degree of will or personal courage, but I’ve known plenty of people that have done this in many disciplines and it is highly amusing to watch. In many cases there is little resistance to this.......initially.
Have the role power to do this naturally whether this is because of tenure, professional stature or most often because you’ve been hired at an organizational level to operate that way. I’m highly skeptical of the fixation on CISO reporting lines but perhaps the only point I’ll concede on this is if you are in a type of organization where your ability to get your program integrated is really dependent on the optics of your organization position then a particular reporting line might be a price to pay to do this. I say “price to pay” because a misaligned reporting line just for stature can be a detriment to the actual alignment you need to make your program truly successful in the long term.
Working diligently and relatively quickly to plug yourself and your team across the organization, step by step, process by process. Even if you’re comfortable with doing 1 or being granted the ability to do 2 it is often better to do it this way. Doing this steadily and progressively can be better because as you integrate you will do so with higher effectiveness, more consideration to bringing value to those processes and do so in a more sustainable way. This would include being able to delegate integration to your key leaders and so it can be a big part of their career development. Your ultimate measure of success is how much you can bring your organization to enterprise integration not just how you can be personally integrated. In many cases, relying on approach 1 and 2 can backfire because you may not then have the bandwidth to sustain your personal engagement to a level of effectiveness that people will ultimately require.
So, let’s focus on 3, integrating across your enterprise processes. Every organization will be different but the major ones to focus on are in the following general categories:
Governance Integration
Make sure you are fully embedded in the corporate governance of the organization to ensure security is treated as a first class business risk. This can be as simple as making sure you are integrated with the various organization risk committees, policy approval processes and so on. In doing this integration it is important to map which part of your risk taxonomy is covered at which process. If there is overlap, as there often is, make sure that it is intentional and explained in the right way. If there are independent issue tracking systems in each of these governance processes then link your issues into those tracking process. Clearly, next, the value you can bring is to drive less duplication, more convergence and a consolidation of approval and issue tracking processes.
Process Integration
Integrate across many, if not all, of the core business processes of the organization from new product development, new business process approval, strategy, partnerships, acquisitions and divestments, budgeting, people processes, technology and software lifecycle through to the day to day operations processes of the company. It is, of course, likely that the nature of the process integrated with will determine the extent and nature of the integration.
Solution Integration
This is less about an organization or process approach, rather, it is to integrate security solutions and capabilities into the wider infrastructure of the organization. Then, making sure those embedded security solutions are wired together such that if you get one capability you get others by default. A useful way of thinking about this is that your goal is to empty your security architecture of products and capabilities so that people do not have to come to your team because you have embedded them transparently into everyone else’s products.
Skills / Behavior Integration
If your goal is to increase the security skills of the whole organization then bringing people to your training might be the least effective way to do this. The better way is to embed the content you want into other people’s training - integrated into the context of that business role. For example, if you want to improve the security awareness of call center staff then embed content into their regular training, the job enrollment training and other dynamic feedback systems they have rather than dragging them into your content. Similarly, seek to integrate skills improvement at the point of maximum attention. This can range from the trivial, like giving people travel security tips when they get their ticketing (remember that?) through to the more sophisticated, like training on secure software development techniques inside the SDLC when those specific issues are detected. Finally, it’s also worth finding communities of practice or other groups in your organization who are natural constituents to partner with. For example, I’ve seen many safety critical industries have their safety or quality expert groups engage on security topics as a matter of interest rather than stipulation.
Industry Integration
Formally link into industry associations (not just the security related ones), trade groups, as well as your own legislative, regulatory and government affairs processes. This is not only important to make sure you are engaged but is also a massive opportunity to add value on shaping matters that benefit customers and help the competitive positioning of your business. Similarly, getting engaged in customer acquisition, onboarding and related processes like RFI/RFPs gives your team access to support business goals and see customer pain points which you can then take back into other processes.
Measurement Integration
Keep focus on your risk and control performance and your security incident root cause or near miss analysis. But, also, work to integrate with the rich seams of data that come from SRE processes, operations, risk, compliance, manufacturing and many other aspects of your organization. This is highly informative to the security work and also gets you engaged with pushing risk convergence and other opportunities.
Vendor Integration
Don’t just do security assessments of your vendors, also get your team embedded in the supply chain process to support and educate vendors. Examine your extended supply chain and identify ways to help your vendors solve their problems to ultimately solve yours.
_____________________
All of this integration needs to be done carefully, you can easily get over ambitious and do too much too soon with the adverse consequence that you are spread too thin doing poor quality work in too many places. Doing this well includes:
Establish the goal of the integration. Is it to observe, to be an approval gate, to drive an agenda, or other? It might be this changes over time, but be clear at each stage what is needed because each of these goals will need a different level of engagement.
Priority. What is the priority of integrating with this process (urgency vs. importance). There may also be tactical prioritization in that integrating with the process you really want to be embedded in first needs you to integrate with some other processes.
Process Maturity and Linkage. Make sure that your own organization’s operational maturity is capable of supporting the integration objective. For example, if you want to integrate into a process to be hard approval gate then you need to make sure you can match the business tempo of that process and / or be able to rapidly shift left in the process so there is less pressure on the gate.
Add Value. Make sure whether it is people integrating into a management process or a solution/capability integrating into an IT or operational process that you are generating some adjacent benefit. This might be to bring your team’s ideas beyond security to the process or to get the security tooling to improve efficiency, performance, or reduce cost.
People. Make sure your team has sufficient capability, maturity and a commercial mindset to drive the integration in a way that can add this value.
Share back to your organization. Use the information flow that you and your team are immersed in as a result of this integration. Share it with all of your organization to keep them fully aware of the richness of what is happening.
Cross pollinate experience. If you and your team are widely and deeply integrated across your organization's key processes you might be the only team in such a position. This gives you a unique vantage point on many emerging best practices and integration opportunities for other teams and their business initiatives. Imagine, the value you can bring either to your business or IT by highlighting activities in other parts of the organization that would help them or help serve customers. The security team as organization connective tissue is massively under-appreciated.
Bottom line: you have to deliberately and methodically integrate security into all your enterprise processes. Doing this well not only gets you the seat at the table but, more importantly, gets your team their seat at all the right tables. It makes the organization want you there rather than just tolerating you being there because of will or role power alone.