{"id":83854,"date":"2018-07-02T09:00:27","date_gmt":"2018-07-02T16:00:27","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=83854"},"modified":"2023-05-15T23:07:49","modified_gmt":"2023-05-16T06:07:49","slug":"perspectives-of-a-former-ciso-disrupted-security-in-digitalization","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/07\/02\/perspectives-of-a-former-ciso-disrupted-security-in-digitalization\/","title":{"rendered":"Perspectives of a former CISO: Disrupted security in digitalization"},"content":{"rendered":"

My passion is the connection of security to the business objectives, and it has been a part of my work with many CISOs across industries as well as my experience as a CISO. This blog series a compilation of my learnings as a CISO, as well as learnings from peers and customers who are actively working to figure out how to best align security organizations with their business. This first blog will cover why it is so critical for a security organization to shake off the total compliance mindset and be balanced with a focus closely on aligning to the business of the organization with a clear risk-based approach.<\/p>\n

It is not news that the world changed in the last two decades through digital transformation and the requirements for security have also. Initially, it was mainly focused on protecting the network and building virtual walls around the digital assets of a company. The fast evolution of mobile technology, globalization, and digitalization has disrupted standard assumptions for business and they are transforming to adapt, and security needs to be in lock step or better yet – to lead this journey. The world is not what it used to be as it looks more like the graphic image below:<\/p>\n

\"\"<\/p>\n

Security must be closely aligned to the business it serves and protects against attacks by the criminal groups working on the Internet. Crime went digital\u2013 from vandalism to classical crime to nation states. The business, on the other hand, gets disrupted and must change at a speed never seen before. This is the place, where security needs to be.<\/p>\n

Security must enable the business transformation and ensure acceptable business risks. This is a non-negotiable truth as security\u2019s sole purpose of existence is to protect the organization that employs it. This is more difficult than it sounds because security started as a purely technical discipline with a common belief that success was achieved in compliance with standards. Many organizations are on the journey of shifting this mindset to a risk-based approach and a deep alignment with their business counterparts. This is a major shift for the security organization as it requires major cultural changes, different priorities, changing of processes and habits, as well as technology changes. I have seen a lot of security people \u201chiding\u201d behind their policies instead of helping the business to be successful. This is not solving any problems in today\u2019s world.<\/p>\n

Regardless of your industry, compliance does not bring security \u2013 good security brings compliance<\/strong>. Success in security is all about running a reasonable risk management and risk mitigation program, which is leveraged and often even driven by the business leaders, and which clears the way for the business to be successful in a frequently hostile environment.<\/p>\n

Chief Security Officers must re-think what they do, re-think the way they look at the world and constantly try to disrupt themselves. I recognize that this is something people in security are typically not good at, as most of us had been taught risk avoidance during our careers (sound familiar?).<\/p>\n

Disruptive changes require going against this nature and taking risks where the outcome is uncertain. While this is uncomfortable, it is critically important for our future success.<\/p>\n

Looking at it from a more outward view, the CSO has different constituencies to satisfy:<\/p>\n