EXPEL BLOG

Staff, C-suite disagree on how security drives innovation

· 3 MIN READ · GREG NOTCH · OCT 19, 2023 · TAGS: Cloud security / Management

But why? It might be that one group sees the forest, while the other sees the trees…

Not that long ago, it would’ve been hard to find an organization completely aligned on the role security plays in innovation. Many developers and product teams saw security as an obstacle, holding back their efforts to go to market with a product, service, or feature that could have a real impact for their customers. Thankfully, that worldview has shifted, according to our recent report, Security-enabled innovation and cloud trends.

Research by the Cloud Security Alliance (CSA) concludes:

[G]enerally, organizations have a positive attitude toward security and its integral role in innovation. Security is prioritized during product development and is seen as a competitive advantage, particularly concerning cloud strategy. Moreover, organizations regard security as crucial in nurturing a culture of innovation, with the majority predicting an increasing interdependency over the next five years.

However, the research also uncovered a disconnect in the attitudes around security and innovation, exactly where you wouldn’t want there to be one: between the C-suite and security staff. CSA’s research found that 43% of leadership sees security as a critical part of product development, and half view it as critical to cloud strategy. Fifty-one percent strongly associate security with competitive advantages, while 65% see it as a key enabler of innovation.

Contrast that to security staff, who are less convinced. The report finds that staff sees security as less involved in product development (27%) and cloud strategy (31%). They also view it as less associated with competitive advantage (36%) and perceive a weaker relationship with innovation (44%).”

The natural question: why?

Bridging the disconnect

While the disparity in attitudes around security and innovation aren’t critically dire, orgs should still make it a priority to address them, and this is an area where the CISO can play a big role. I’ve long been a proponent of the idea that CISOs need to speak the language of business. They have deep technical knowledge, but they must know how to translate their understanding of security, risk, and resilience into information that helps the board and the rest of the C-suite make decisions. This skill also helps the CISO articulate the needs of the security team so it can maintain a strong and resilient security posture.

CISOs can (and should) communicate in the other direction, as well—they need to distill strategic conversations happening at the leadership level into actionable strategies for staff.

This is where that technical know-how comes into play. Knowing the overall strategic plan, compartmentalizing what security needs to know to support that plan, and laying out what needs to happen to make the vision a reality goes a long way in helping bridge that gap between leadership and staff.

But the effort shouldn’t stop there. Instead, CISOs should use the unique opportunities they have for interacting and influencing multiple levels of the org to contextualize their viewpoints, celebrating the role that security staff plays in innovation while sharing with the security team the overarching impact their efforts have on furthering their org’s mission.

If CISOs seize this opportunity, they’ll probably go a long way in furthering the connections across the organization and fostering a culture of innovation.

The importance of perspective

The main reason for the disconnect may simply owe to perspective. C-suite executives naturally view company initiatives through a wider lens. They generally have access to more information and make decisions using multiple sources of data, focusing on the company’s long-term success. This potentially breeds more optimism.

On the other hand, security staff focus more narrowly on their own domains and on managing the company’s day-to-day security operations. The differences in these perspectives can influence—strongly—how security is viewed..

A final note: company culture

In addition to variances within companies, the CSA report also notes the impact of culture between organizations. A deeper dive into the data finds that people who strongly believe that security is an essential enabler for organizational innovation typically belong to organizations that align with this perspective (63%). Conversely, individuals from organizations that see less of a link between security and innovation are less likely to personally see security as a driver of organizational innovation (19%). In other words, if the company treats security as an enabler, then that org’s team members will perceive and ultimately treat it as such.