Many security roles require alignment and collaboration with other security and business leaders. Without alignment projects can stall across reporting lines and over negotiating resource allocation and task prioritization. Security should not be negotiated,
as much as it should be able to flow seamlessly into different business processes and initiatives. Building the right collaboration skills to incorporate security is the key to avoiding conflict.
This piece provides some tips for developing trust, reducing conflict and ensuring every security negotiation becomes a win-win interaction.
Security as a Business Enabler
It’s common to hear security leaders talk about security as an enabler, stating that security is the “Department of Yes,” rather than the “Department of No.” However, many organizations still struggle with security requirements
and controls that are not aligned with the business and seem to pose more obstacles and delays than the promised enablement and speed.
Security leaders also find difficulties negotiating with their business partners when it comes to applying policies, controls and risk management functions.
How to Align Security with the Business
If negotiation is approached as a win-lose proposition, by definition, one side loses. That’s not where you want to be as a security leader. The first rule of working with partner leaders is to make sure the negotiation isn’t about who wins.
It’s about making things work for the business, the customers and the shareholders.
To foster collaboration and progress, consider using one or more of the following approaches:
- Communicate strategies vs. policies: Don’t present policies as edicts to live by. Instead, use strategies, or themes, to convey the need for a consistent approach to handling data, assets, vulnerabilities, patching, etc. If you approach the
issue from a less-constricted perspective, your business partners will be more amenable to finding the “how” by themselves or listening to your suggestions about how the same result was accomplished in other teams (or even other organizations).
This makes it more about the end result, rather than simply meeting some policy or prescriptive standard.
- Take a business-first perspective: Make sure to educate yourself on the business need behind the issue discussed in the negotiation. Be the one to bring up the business perspective and be able to stake claims about how security fits into the narrative.
Being able to align security to business goals reduces friction. Instead of being seen as an adversary, it essentially puts security leaders on the same “team” as their business counterparts.
READ: The BISO Role: Where Business Meets Security
A good strategy here is to take time before meetings to truly put yourself in the shoes of the other leaders and understand their concerns. Start by talking through their side. For example: “I realize the launch is in five weeks and we have a lot
to catch up on in terms of application testing and configuration. To do that, let’s prioritize cloud security testing so we’re not pushing potential conflicts to the last minute and
risking the launch date.” That makes the security issues part of the overall process, and it assures your partners you have the same goals they do. Be able to focus on the positives including:
- Underscore the competitive advantage: Business leaders often forget security is a competitive advantage on several fronts. For example, strong security programs enable organizations to better compete on contracts that require certain certifications or regulatory adherence, and they also ensure the business can offer security attestation and testing that increases customer trust. Good security can also provide a long-lasting
reputational gain, as the security program handles incidents and is able to address them in a timely manner, while focusing on retaining customer trust. This approach can be used when dealing with efforts that may not have an immediately recognizable
deliverable (such as continuous monitoring and the need to have detailed application logs available).
- Be there to solve problems: Security doesn’t have to be the issue that holds things back. Leadership’s role is to identify areas where you can accelerate the business and help it get ahead. Handling contractual issues early in the process
can help fast-track onboarding of vendors (rather than being the roadblock, as vendor assessments are pushed to the last minute). Working with customers on requests for proposals/information
can identify areas of focus early and buy time for other teams to handle any required changes. Taking the approach of, “How can I make this work for you in the business context,” will forever beat an approach of, “Let’s see
what’s wrong here and if there are any security missteps in your work.”
Take a Risk Management Perspective
Security must never be relegated to the category where “we’re only doing this to check the box.” If it is, it means you haven’t succeeded in explaining the business relevance of a security issue/task or in understanding whether
a task is necessary from a risk management perspective. Any sort of checkbox-type action is going to be perceived as an action that does not yield any return and is an assured way to alienate others and position security back to the “Department
of No.”
Guidance for Security Leaders Communicating with Business Leaders
Remember to always frame the discussion in the business context and avoid getting into an “us against them” position. Security is a part of the process and is here to help make better products and competitive businesses. To ensure your negotiations
go smoothly:
- Avoid compliance for the sake of compliance: Always look for the business angle that has a tangible result associated with it. Show that security is there to achieve that result.
- Know the business better: Showing you are taking into consideration a broader perspective than the one discussed enables you to better frame the impact security has.
- Start by addressing your business partner’s issues: Be the one who recognizes what’s at stake for your peers and put yourself on their side. Help them work through issues, and always position security as an aid, not a hindrance.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.