During this year’s Exabeam Spotlight18 conference in Las Vegas, amid the conversations about building a modern SOC or a successful insider threat program, Steve Moore, chief cybersecurity strategist at Exabeam, discussed the relevance of being relevant as a security leader.
Security teams often work in a bubble, overwhelmed and under-resourced, and few practitioners have the time to step outside of the noise. At a time when CISOs are fighting to get a seat at the table, however, those who have made the shift from technician to leader need to leverage strategies to become and stay relevant within their organization.
The reality is that everybody trades on some type of currency, whether it’s monetary or something more intangible, such as goals. Different departments within an organization unintentionally can create obstructions to the goals of those outside of their own silo, which often is the case between security and sales.
“People that make money for the company often receive objections, or blockers, from security especially if there’s been an event, and anything that slows the sales process will be a concern. It’s important to find relevance to help that out,” Moore said.
One way to help out is to personally reach out either when a problem arises or even before an incident occurs. Moore has found great success in reaching out to the sales team and offering to give a quick five- or 10-minute presentation at the next quarterly business review or sales meeting so that sales can gain an understanding of two or three key security capabilities that might help them to close deals with customers.
Proactively Preparing Adds Relevance
Customers are starting to ask more security-related questions. Others fill out questionnaires about security capabilities, and sometimes the answer to what customers are looking for is, “No, we don’t offer that.”
“If I’m tracking those responses as a security professional, I can take that information back to executives and let them know that based on the fact that we’ve been getting these requests, this might be a good indicator of how we can improve our security offerings,” Moore said.
In addition, tracking the “no” responses also opens the door to focus on the positive, allowing the sales team to be able to say, “Here is what we do best.” The security leaders then can host a tour or deliver a 30-minute deck when customers come onsite because they want to actually see what they are buying.
“Get good at that pitch,” Moore said. “Developing all of this, creating a little engine that you may not use all the time … That’s being a professional, that’s being relevant. Instead of reporting on viruses, report on or discuss with executives that you and your team helped close X number of accounts or delivered information pursuant to new business because we have a relevant relationship.”
It’s OK If You Don’t Have Time for That
Yes, security teams are overwhelmed, but Moore said that sometimes you have to pause the overwhelming to get ahead of that wave. “When I had the opportunity to build a larger team, instead of adding technical people, I added a communications director,” Moore said.
Many—not surprisingly—asked why, as the move was not well-understood at the time, though Moore contended the move was responsible in part for at least one of his promotions. “You can’t continue to do the things everyone else is doing and expect to be unique and remarkable.”
As is the case with all things security, there is no silver bullet, and actively making security relevant is one of those efforts that could result in 16-hour days with everything else on your plate. But Moore said the bigger piece is about being a leader.
“Are you a technician or a leader? I’ve seen a lot of managers that are still doing technical things. You need to understand what it means to be a leader, to protect your staff, to say no and to look for creative ways to be a servant to the people that make money for your company.”
Most people who have made the move into leadership out of security have done so because they want to do more. Building those cross-silo relationships to achieve relevance might mean that you have to create content that you don’t get to deliver, you may not get the air time, but you must follow the money, Moore said. “Those are the things that will give you larger visibility.”
That is true, in most cases, even for the army of one. In fact, the smaller teams may have greater success because they have more direct access to the people that can help them address this asymmetric problem. “Count on coworkers and IT. Develop relationships with the help desk, email management—the people that can best assist you. And if it’s ever in your budget to build out your team, hire on emotional intelligence. Look for someone who will be able to facilitate relationships.”
In a smaller shop, some of what Moore suggested doesn’t scale equally. Rather than focusing on the limitations, shift the perspective to leverage the benefits of not having to deal with the bureaucracy that can hold up the process.
Having learned some tough lessons post-breach, Moore tries to live by the motto, “Be friendly, be nice, put someone else first.” While that epiphany was born of big disaster, the larger theme is about connecting the dots to address the systemic problem of the downstream problem when it comes to security leadership and making security relevant within and across the organization.