2022 is just around the corner. Now is a great time to reflect and think about transforming our security programs.

While recently thinking on ways to help our community tackle this challenge, I ran an informal poll on LinkedIn. More than 50% of organizations polled don’t have a technologist on their board of directors – and – 14% of those who responded did not even know if they have a technologist on their board.

Does this shock you?

Polling data aside, I learned for myself—the hard way—how difficult this is for InfoSec teams to educate the board or executive staff using tech buzzwords and by not speaking in the language of the business – performance and outcomes.

Business transformation is constantly taking place—staying current and relevant is critical, and growth is always a top-line business objective. Moving security programs alongside at the same pace to support the business always feels like it’s a competing priority.

In the past, I often found myself asking, “Why does my security program get left behind while we’re expected to keep up to support the expanding business requirements—with little or no real transformation in our own efforts?”

Another question usually follows. Every other part of the business is measured with performance, which relates to using current and relevant data. So why does do security teams typically get left behind in business planning discussions?

Why We Get Left Behind

It’s pretty simple. All other functions of the business can determine how well they’re doing when reviewing their business objectives. But I feel that security constantly struggles with reporting on our program. Recently, in some small circles, I’ve heard some of these excuses for this struggle:

• There are countless extremely challenging ransomware threats to which we must pay attention. Why do I need to focus on anything else security-related?
• The speed of innovation within the business is mind-boggling, and the amount of change required in the tech stack is overwhelming. I can’t keep up!
• The holiday season is approaching quickly, and there’s a ton on which we need to focus.
• We’re constantly asked to do more with less.

I’m sure you’ve heard some of these reasons —the list can go on and on and on. But there’s one huge, serious gap: What is the role of InfoSec in helping the business transform and succeed?

Why Security Programs Need to Transform in Concert with the Businesses

The strategic answer to these questions sits in several key areas that I’m encouraging you, as a security leader, to ask yourself and then the business. These questions revolve around why security programs need to transform along with the business:

1. What does it mean to transform the security program? Are you still using outdated tools and technology that don’t align with the latest tech stack the company invested in to align to the business? Why?
2. Why is the conversation imperative today? You can’t open an article or listen to the news without hearing about cyber security. Cyber security has become a high priority for every business leader and a sales enabler for most companies.
3. Why is the conversation different today than a few years ago? The amount of visibility with cyber security has changed over time. Tech is usually top-of-mind when determining how to move the business forward, but in most cases, InfoSec takes a back seat through this evolution.
4. Why are the conversations and associated actions increasing in importance? Today, more and more business leaders are aware of cyber security issues. Think how pervasive computing has matured and is on a much larger scale. Then think about how migrating and leveraging cloud technologies has enabled our businesses to do more—faster and more efficiently. Because of these ways of enabling the business, we see attack surfaces widening. There are more spaces to exploit. This, of course, affects us as we determine how to mature our security program, which must be built with holistic views so our businesses can measure how we’re doing.
5. Why must something be done now to address this disconnect? Businesses will continue to do what they do—build, grow, scale, repeat. Our security programs must align to that cadence. As the business transforms, so must our programs.

Where Do We Go from Here?

It’s always been my experience that when companies determine how to build and scale their businesses, business decisions always take priority. Always. We want our businesses to succeed and win, don’t we? It doesn’t matter if the business grows organically or through acquisition—business decisions go to the top of the list.

As your business grows and you need to find ways to scale your security program, the questions from the previous sections will probably come up. As you determine which data sets to present about your security program, I encourage you to think about two things:

1. Why don’t you already have this data readily available to make decisions?
2. How are your peers reporting on their security programs?
   This leaves a final question to act upon: How are we going to embrace security program transformation as we head into 2022?

YOU ARE NOT ALONE! This is one of the reasons why I co-founded Blue Lava—to democratize security and give you the data you need for reporting on your program. I’m inviting you to consider the following 2022 goals:

1. Get Involved in the business – I encourage you to think about how you will be involved with your business and enable business growth next year.
2. Develop an Adaptive Security Program – being involved with the business allows you to make faster decisions about your security program; you’ll know what’s coming and when.
3. Leverage the Right InfoSec Data and Metrics – the decisions and investments with your security program can be backed up with the correct data. It’s critical now more than ever to leverage this data and connect the dots, so everyone in the organization understands your security program.

I encourage you to reach out and contact me with any questions. And you can follow us on LinkedIn—we’re always publishing and promoting content for you.

Speaking of content, if you haven’t watched our upcoming Blue Lava MasterClass, I invite you to do so. It’s an opportunity to learn from things that have and have not worked when building and maturing security programs.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.