One of the highest-stakes parts of my job as the leader of our Security & Risk business is the in-depth business review that I present to Forrester’s executive team twice a year. And I always start those presentations with a single slide in which I attempt to capture the Security & Risk profession in as few words as possible. My current formulation is: “We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely.”
Our CEO, George F. Colony, sat bolt upright and said, “Wow – I didn’t know that CISOs saw their roles in such business-centric terms!” To which I replied, “And that’s exactly the problem. Strong CISOs are generally all action and very little talk – they put the brand and business opportunity at the center of everything they do, but they don’t brag about it. And thus they don’t get the recognition they deserve.”
And my team and I are on a mission to help you change that. Because we know that a strong security & risk program can be a competitive differentiator. We can help our businesses win on the global stage by enabling our firms to accept more (and different!) risks than others can afford. Rethinking your security assumptions and your security infrastructure means that you will have the skills, processes, and tools your business needs to seize new opportunities. So now you just have to get the word out that you can help.
“To succeed, Security & Risk leaders need to be part of the business strategy.” If I had a nickel for every time I’ve heard someone give some variation on that piece of advice, I’d be rich. As you all know, that’s an easy thing to say but a difficult thing to do. And that’s particularly true now, because our business leaders today are prioritizing growth – they’re entering new markets and releasing new products and services to grow revenue. Your business will unleash the creativity of its entire extended enterprise ecosystem – employees, partners, suppliers, and current customers – to find new ways to win and serve new customers. And your extended enterprise will connect via mobile and social applications and use cloud services.
Security & Risk (S&R) chiefs and Infrastructure & Operations (I&O) leaders have a lot in common, and in great companies, we work in concert to run an efficient, reliable technology infrastructure that keeps critical business assets safe. Much has changed in the world of technology since I pulled my first all-nighter in a data center (falling asleep next to the EMC Symmetrix array was not one of my better ideas – those corners were sharp!), but that partnership is still the same – it takes security engineers and network/server engineers working together to solve really thorny problems.
We have our frictions, of course – I&O pros prioritize operational stability and continuity of service, while S&R pros must occasionally interrupt that continuity to contain security breaches. But when a serious incident (whether security breach or system failure) threatens to sideline our business systems, it falls to us to find and fix the problems – together. We may be organizationally separate now, with I&O reporting into the CIO and the CISO reporting into a COO or Head of Operational Risk, but we share a set of fundamental challenges. We must excel in our own domains (not exactly a cakewalk) but also anticipate and deliver on what our businesses need (much harder).
And what our businesses seek today is growth – in Forrester’s most recent survey of business decision-makers, the top two priorities were growing overall company revenue and acquiring and retaining customers. S&R pros have already worked hard to escape their “Department of No” reputations, and I&O pros have labored tirelessly to get out of the data center and into the business.