Organizations of all sizes have recognized that sustainable business processes are a critical factor to ensure long-term shareholder value. Short-term gains may appease the market and some investors, but the real value lies in a corporate strategy that is not only backed by digitization and technology investments but in your people and the processes that can create long-term capabilities and opportunities to facilitate a continuous improvement culture that will endure for years.

Building sustainable cybersecurity programs is no different. As risk managers, ensuring that your organization is aligned to business strategies and priorities will help build your credibility and value for your organization.

As security organizations begin to move to adopt these business strategies, there are fundamental aspects of our programs that need continual focus. The first is a focus on relationships. 

Relationships with your customers, your partners, your peers, and the larger security community are critical to success. We have moved well past the expectation that security will be the “NO” organization. They should say no at times, but it should be limited. A qualified yes where you work to figure out the solution as a partner or where you recommend boundaries is the better approach. And if security does partner with the business to find a solution, they should implement it. This will build the trust that you need to take the next step in your journey.

The relations and bridges that you build with your internal IT, HR, Law, engineering, compliance, procurement, supply-chain, and other partners will create an environment of collaboration which is so important today.  It is tough for any company to ensure that its employees are all moving in the same direction, so if you can create an environment where yourbusiness functions are aligned and partnering and are working to remove cross-functional barriers, this will allow the business operations and sales teams to focus of delivering value for your shared customers.

I remember a time when I was just starting in security and was working on a cross-functional team working to implement a proof-of-concept for a new technology.The technology was intended to help support one of our most critical business areas.  Early on in the project, the SVP of that business area had a whiteboard session with the entire team where he described all of the steps included in one of their playbooks and how this technology would help bring greater visibility ensuring that his team had quality data to make the right decisions.

As I was listening and taking notes, a light went off and I realized that what he was describing was exactly the sameprocess as a security incident response playbook.  He was using different syntax, but the steps aligned exactly. Later in the project, I asked him for some feedback on gaps that he had in their program and lessons learned that I was able to use to make improvements in our program. I learned a valuable lesson that day – be humble enough to think that others have walked down your same path. Their road may have looked a little different, but there are lessons that we can learn from our peers, other business areas, and our partners that will help us all be more successful.

The second is a focus on your people.  Organizations use many models to deliver their capabilities and processes. Internal staff, staff augmentation, contractors, outsourcing, and managed services are some of the models that are being used. Which one is best depends on a number of factors and the answer most likely be a combination of all.There is no right answer, but there are wrong answers.

As security leaders, we need to ensure that we are supporting our employees – whether they work directly for us or through a support organization. There are a lot of ways to do this, but I have found that if you demonstrate care, then you WILL meet their needs. You show care by listening to them and understanding their concerns, perspectives, and desires. You show care by giving them real individual feedback.You show care by getting them access to the resources enabling them to be successful.You show care by making timely decisions, prioritizing, and by setting strategy and direction.And you show care in the way that you understand their career goals and help them determine a path forward through training and experiences. Encourage them, help them, and let them do their jobs.

The third is a focus on fundamentals and operational excellence. Too many times, organizations get so excited about the latest trends, technologies, and widgets and focus on buzz words.  Augmented Reality, AI, ML, Zero-Trust, XDR, robotics, and digitization are all areas that have real solutions to the business outcomes that we are seeking.Focusing only on the new and forgetting about older and existing capabilities that you have in place can create an environment that will create technical debt and unreliable processes that will burden your organization. Many organizations do not adequately resource efforts to manage and eliminate this debt which can erode an organization’s ability to manage the most critical assets in the organization. We need to continually assess these risks so that they do not deteriorate further and cause operational issues for your business.

Let’s applaud the thankless job of asset management, configuration managers, contract analysts, financial analysts, system administrators, and other IT and enabling functions staff that take care of the fundamentals to ensure that we in security knowwhere to focus.

Successful managerswant their departmentsto be productive and agile enough to respond to changes in their business.By focusing on some core fundamental principles, they can create a sustainable program that will reflect a priority of long-term success.