What is the purpose of security?
I used to ask people to define security during a training class. I’d hand out slips of paper, one to each per person. Somehow, I’d end up collecting more slips than I handed out, because people offered multiple definitions.
We still face the confusion and complexity of security today.
What is the purpose of your security team?
I don’t want to repeat the exercise. I’m asking what your security team does, or what it’s supposed to do.
Do you have a thoughtful, documented answer?
This is one of those questions that seems easy — until it isn’t. Many of the security leaders I work with struggle to clarify and explain an engaging purpose for their team. Maybe because it seems so obvious that we’re here to “reduce risk to a tolerable level” or some smooth sounding answer.
Is that what the business thinks?
A few years ago, I worked with Todd, a security leader who joined a team right after a merger. That meant navigating the fall-out from the previous CISO while figuring out how to get the team working together. What helped was the support and ear of Edward, the CEO.
To figure out the purpose of security, Todd simply asked Edward, “what do you expect from security?”
Taking only a moment to reflect, Edward explained he wanted three things:
- Meet client requirements; this was a B2B company that fielded hundreds of third-party risk due-diligence questionaries (DDQs), plus additional requests to visit or audit security practices.
- Stay just in front of the curve so we don’t get surprised in the world or with our clients. More than “watch the wire” to identify bad things, Edward expected the security team to foresee changes to keep the organization a step ahead of clients.
- Differentiate us. Oh sure, “differentiate us” you think. We thought that, too. So we asked Edward to explain. Then we asked the COO. We even asked the chair of the board. They all agreed that while anyone could compete on call response time and rates, security that was truly incorporated from the beginning (what we all beg for) would be hard to compete against in a few years.
Edward gave us the clarity we needed to explain the purpose of the security team. Todd cited these three points for internal and external presentations, usually matched to a recent, appropriate example. The marketing team told us the three points resonated with clients during a webinar that they got a handful of early renewals and even signed a new client!
Defining the purpose and refining what it meant during a workshop changed how we worked together. We closed the old chapters to start a new one, focused on meeting the clarified purpose of the team. A defined purpose helped the security team get a sense of why their work mattered and a way to determine if they were working on the right things or not.
The team worked with sales to improve how they handled DDQs. The result was a faster response with consistent, high-quality answers the sales team was comfortable handling. On the back of a napkin, we saved a few hundred hours from our team each year and reduced requests for onsite inspections and audits, totaling over $1 million in the first year.
Not only was the sales team thrilled, but it freed up the security team to focus on fresh problems to solve.
What happens when we either don’t know the purpose or pursue the wrong/mismatched purpose?
The dreaded friction that erodes value, destroys trust, and burns people out. As friction builds, it grinds projects to a halt and makes everything more complicated, time-consuming, and expensive.
If you feel like you are burning out, check your purpose. Check the purpose of the team. Are they clearly defined? Are you in alignment? What about your team?