Two Veteran CISOs Shed Light on Process Improvement
Share with Your Network
Two years ago, pandemic lockdowns reshaped the nature of work and sent the total number of Americans without gainful employment hurtling to nearly 15%. Even though unemployment rates have returned to pre-COVID levels, workers and employers face a different scenario: People are abandoning jobs at a surprising rate–not because they have to, but because they want to.
The Great Resignation (also known by our favorite moniker, the Big Quit) arose when a wave of unhappy employees used the disruption caused by the global pandemic to leave their jobs in search of greener pastures.
Leaving companies in a lurch–and vulnerable
In the cybersecurity space, the Big Quit intensified an already significant talent shortage, and enterprises are feeling the pinch. Constraints on cybersecurity talent result in fewer people to problem solve and increasing pressure to do more with less. Companies everywhere are looking for ways to entice their cyber all-stars to stay put. These include smoothing out processes and automating oft-repeated tasks, which together help lead to better productivity and higher work satisfaction.
But process improvement is easier said than done. That’s Kenna Security’s Ed Bellis and The Economist’s David Peach concluded a few months back. The longtime security experts discussed tried and true methods to combat ineffective and cumbersome processes that hamper business agility. We listened in, and then organized a few of their key insights to help other security leaders looking to level-up their processes for happier, more productive team members.
Technology is easy, people are hard
On paper, processes can be carefully designed and optimized, perfectly streamlined to have as few touchpoints or hurdles as possible. But these seemingly frictionless security workflows are made immediately complex once human beings get involved. “Dealing with people is the messy part,” reminds Bellis. “If there was just tech, that part would be easy.”
He’s not wrong. Study after study underscores the problems that arise when humans and cybersecurity converge. But it’s not just a lack of skill or knowledge that’s the problem. People introduce conflicting directives or incentives, misaligned goals, and differing personalities, costing valuable time, energy, and ultimately money. On average, this misalignment wastes roughly 10% of company spending.
Lucky for you, the fix is fairly straightforward: communicate.
Effective, clear, and collaborative communication can curb the impact of misalignment, dueling directives, or reluctant participants. Peach emphasizes that it’s relatively easy to sit down with people and get to the heart of what they’re trying to do. “If you understand the other group’s goal, you can sell what you’re trying to do in a way that matches their goals. So they get the WIIFM (what’s in it for me?). Sell it in their context and their terms.”
Ed concurs, pointing out that assuming good intent is paramount. “Everyone is coming to the table to try to get something done they’ve been chartered with. Actually, sit down and talk to folks to understand what their objectives are. I’ll bet you can map a lot of what you’re trying to get done with what they’re trying to get done.”
The crossroads of progress and perfection
Processes provide a clearly marked path forward with pre-determined guidelines to achieve the desired outcome, but those conditions don’t often allow for the flexibility needed to overcome obstacles (or meet shifting needs of the business and leadership demands). That’s why Peach keeps a sticky note next to his monitor with the aphorism, “Perfect is the enemy of good.”
To combat the limitations of process adherence, Bellis warns of the dangers of analysis by paralysis. “I’ve always been a fan of making incremental improvements. There’s always going to be something that gets in the way of perfection. Having a bias towards incremental improvements goes a long way.”
Another common perfection pitfall emerges when teams try to force processes onto others. “There are very few people in the org whose job title involves security,” reminds Peach. Everyone else has a different job title that isn’t something that is motivated or incentivized around security. But you can try and do things that fit in with their process to make it part of their thought process as well.”
The same holds true when it comes to shedding technical debt. Bellis recommends dedicating a certain percentage of business-forward, revenue-generating initiatives to addressing tech debt so you’re constantly churning out debt. While wiping that debt clean before taking on any new projects seems ideal, it’s not realistic and will ultimately prevent progress.
Cultivating a security-centric culture
Whether processes are effective or efficient is determined by company culture, and that can be a challenging shift to make. Ultimately, these CISOs agree it must come from the top. “If you don’t have support at the management level then it’s not going to go very far,” notes Bellis. “It’s a heck of a lot of evangelizing across your organization to get cultural shifts. It will be a long journey.”
But a worthwhile one. Bellis is heartened by the number of people outside of Security teaming up and effectively working together. “We see a lot of people. It sounds hokey, but it is big.” Peach sees it in the wild, too. “Integration between tools and processes has been a transformation that’s helped build relationships between groups, break down the silos, and achieve shared goals.”
One way companies are creating security stewards across departments is through simplified solutions, which are designed to invite non-security employees to become active participants in defending the company’s risk profile. Removing archaic security gatekeepers and evolving beyond traditional risk management increases collaboration, reduces friction, optimizes resources, aligns teams around risk, and creates shared goals; all of which impact process performance (and the employees running them).
Ensure smooth cyber sailing
In an increasingly unpredictable and interconnected world, you need effective and satisfied cybersecurity talent at the helm. Clearing obstacles and doing whatever you can to ensure smooth sailing will help keep them there.
To learn more about smoothing out inefficiencies and establishing a collaborative security environment for all, watch the replay: Hacking Process: An hour of critical thinking about delivering and receiving the right information to the right people at the right time