/dec 21, 2020

Veracode CEO on the Relationship Between Security and Business Functions: Security Can’t Be Effective in a Silo

By Hope Goslin

Veracode CEO Sam King says that security can’t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Board and the overall connection between the security function and business functions.

She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it’s important to tailor messages to the business functions so that they too can understand the organizations’ risk posture. This doesn’t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a “baseline knowledge that all Board members have around cybersecurity.”  

Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it’s the non-technical experts who ask the best questions or have important insights into cybersecurity. They’re sometimes able to fill in the “known unknowns.”

Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. “Board members today go to classes to improve their skill through NACD or other associations,” he said. “They're re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.”

Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn’t be about eliminating all cybersecurity incidents because that’s unrealistic. The goal should be to “recover quickly when you have security incidents and minimize the business impact.” And the whole organization needs to work toward that goal. “Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It's not just a siloed function in IT or in cybersecurity.”

How can you ensure that cybersecurity isn’t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.

Not only should you come up with your top 10 cybersecurity risks, but it’s also worth identifying your top 10 business strategies. King makes the point that “when you're looking at the top 10 of your business strategies as a company, regardless of whether you're a cybersecurity company like Veracode or you're a financial services company, or whatever industry you're in, cybersecurity has to be in that top 10.” By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.

If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, “We're super excited about this project, but once we go to the security person there's going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not?”

But cybersecurity integration doesn’t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won’t be time-consuming or expensive rework down the line.

And how about obtaining cybersecurity resources and budget? Well, King explains that if cybersecurity is one of your top 10 business strategies, there won’t be arguments as to whether or not cybersecurity initiatives should be funded. Cybersecurity won’t be “taking money” from a different initiative if it was already determined that cybersecurity is a priority.

To learn more about communicating cybersecurity to the Board, or for tips on integrating cybersecurity best practices throughout your organization, check out the full webinar, Driving the Cybersecurity Agenda with the C-Suite and Boards.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.