Security teams are historically cost centers. It’s a necessity for organizations to create space in their budget and resource planning for cybersecurity initiatives. Oftentimes and historically though, cybersecurity creates friction towards delivering services or technologies that create value and bring in revenue. This ties back to all of the talk in the industry right now about security teams “enabling the business.” This chatter often doesn’t expand on what that really means though. This article will explore this dynamic.
Organizations exist for a reason. They exist to provide value to someone or something else. It is imperative that security leaders understand their organization’s mission and how it:
- Provides value to its stakeholders; and
- Earns revenue (or satisfies its mission in the cases of non-commercial entities)
To gain that understanding, leaders need to intentionally break out of their security and technology silo. Talk to other team leaders to understand their work, their pain points, and potential opportunities. Guided human-centered design research can be a great way to build a holistic understanding, but it’s more time-consuming and expensive. Start with something though, even if it’s (virtual) coffee meetings or lunches. Put a particular emphasis on individuals who are involved with organization initiatives that are on the front lines of value creation or revenue generation. Examples might be:
- Sales and marketing
- Product management
- Financial operations team
- Legal (specifically contract management)
As this understanding develops, security teams can then identify opportunities to optimize their efforts around value delivery.
Value Stream Mapping
Value stream mapping originates from the worlds of agile software development and human-centered design. The focus is on understanding the sequence of things that must occur to produce value for some stakeholder. Understanding the flow enables teams to ideate enhancements to parts of the process, improving the outcome. Building on the understanding of revenue centers within an organization, understanding what things must happen to produce value is key to understanding where cybersecurity teams are a dependency.
A commonly occurring example is when a security team is depended on to fill out third-party risk assessment questionnaires to support the sales process. The sales process is fundamental to bringing in customers who pay the organization for technology or services.
Another example is a security-generated policy that states new software must go through security validation or testing prior to moving into a production state. This might be a penetration test, a code review, a threat model, a compliance review, or something else entirely.
Understanding how security teams fit into a value stream is an important part of understanding pain points or friction.
Tying It Back to Value Generation
Value creation can come in many forms. Reducing cost for a business process or a stakeholder. Enabling a product to go to market faster while maintaining or improving the overall security state. Producing high-quality runtime telemetry directly to development teams and SRE’s about the state of a system so they can more effectively manage their services. These examples are by no means exhaustive, there is a lot that security teams can do to move into that “business enabler” role.
It’s important to note because there’s a lot that teams can do does not mean they should do it all. If everything is a priority, nothing is a priority. Understanding revenue centers, mapping out value streams, and actively seeking out pain points are important steps in prioritizing. There is not necessarily a right answer. Start with questions like this to begin ranking and prioritizing:
- What will this improve and for who?
- How long will this change take or how hard is it?
- Who’s going to care about this change? On this one, use this answer to engage stakeholders in the improvement process directly if possible.
- How will we know this change worked and how do we measure that?
Transitioning into that enabling role as a security team is a journey, not a switch that can be simply be achieved. Continual stakeholder engagement and review of opportunities to improve is an important step along the way of moving away from a sunk cost center as a security team.