Information security leaders are increasingly expected to consider business implications and mission as part of strategies to protect systems and data. It’s contributed to the decision by many organizations to name a business information security officer to work in partnership with the CISO.
But one question that emerged during a keynote discussion at the InfoSec World 2022 Conference: How much detail of business priorities should be pushed down to security teams?
“Having the business understanding — the why — is critical for the success of my team,” said Tomás Maldonado, CISO of the NFL, who sees transparency with the security team as the responsibility of security leaders that fought to get a seat at the table for business decision making.
“I encourage my team to meet with their peers, within the peer groups of the organization. And when I say peers, I'm not saying with IT. No — be with the business," he continued. "Establish those relationships. Understand why we are entering into a new initiative by speaking to your business stakeholders. Eventually you need to be able to pick up the phone and call that partner and say, ‘Hey, look, this is what's going on. And this is what I believe the impact to your business might be.’ That sort of collaborative culture is very, very important.”
Salesforce calls this concept of awareness "strategy to task" — a philosophy advocated by William MacMillan, former CISO of the CIA who joined Salesforce in May as senior vice president of security product and program management. Step one: give security a seat at the table; step two: empower teams across disciplines to understand the mission.
“If you're thinking about developing an app, we need to be there. If you're thinking about acquiring some other technology or a company, we talk about it because it impacts our internal operations. Those are the things that the security team needs to understand,” said Maggie Amato, business information security officer for Salesforce. In lieu of that understanding, security teams face what Amato describes as Groundhog Day: Over and over, trying to understand why they are doing something; what the purposes are of particular efforts. It’s not productive nor empowering.
“Everybody needs to understand where we're going,” she continued. “Who is Salesforce? What do we want to be when we grow up? We’re a giant company; but what is the North Star? How do all of the businesses align?”
Strategy execution in a vacuum creates its own set of risks to the enterprise, particularly those with a complex organizational structure. At Salesforce, for example, every new acquisition of a software company is called a "cloud," and each cloud has its own business information security officer. The company also has a chief trust officer, who is over all of information security as well as data governance and risk. Amato, specifically, is BISO for all of internal Salesforce and its 80,000 employees, reporting to the chief trust officer with a dotted line to the CIO as her business partner.
Compare that with the NFL. Maldonado reports up through the physical security team, and then his boss reports up to the general counsel. Within the security team are four leaders reporting up to Maldonado that are responsible for governance and compliance, risk management, and security, architecture and engineering. About 40 people roll up to those individuals. Beyond that, there are 32 clubs that operate up into the NFL. With no direct command and control over their security environments, Maldonado relies on awareness of the league’s grander vision and priorities to drive security efforts throughout.
“It’s not only because Tomás says we need to do it or because Joe Business says we need to do it,” he said. “It instead is because of the value that you're going to see translated when you turn on a TV on Thursday night to see football streaming.”
Such top-down business transparency goes beyond the big picture business milestones, to the more subtle disconnect among teams that can impede productive partnership. Amato believes leaders should “communicate the political nuances; what landmines to avoid.”
“When I first came to Salesforce, there was some bad blood between the organizations of trust and IT, and it was because of a mentality that if the trust team says this, you have to go do it,” she said. “That is not a way to win over the business.”
Vice versa, Amato flagged when particular business teams felt “scarred by previous security teams” that subscribed to the “no culture” of throwing up obstacles. That, too, is no way to win over the business.
Now, Amato has the CIO and the chief trust officer, as well as their directs, sit down every two weeks to talk through disconnects and find common ground.
“Again, it’s that culture of trust,” she said. “I am empowered to say no to the security team and I'm empowered to say no to the business. But that’s because I work to bring people together” to understand one another.