Why security is a business problem
What’s one thing that a career in cybersecurity has taught me? A little bit of humility goes a long way. As Chief Security Advisor for Microsoft customers in Switzerland, Germany, Austria, and the Netherlands, the clue is the name. I advise business leaders on how they can adopt new technologies with as little risk as is needed. But I don’t have all the answers – and admitting that makes a world of difference when it comes to building a trusted relationship.
I’m an engineer by training, with a specialization in computer science. Before taking up my current position at Microsoft, I was a security consultant at Accenture and Chief Information Security Officer (CISO) for a large Swiss telecommunications company, Swisscom. Before that I’d already done a first stint at Microsoft, working on critical infrastructure protection.
My career to date has shown me almost every side of security. I know how it feels when you’re responsible for critical infrastructure and what it’s like to have to deal with incidents. But I also understand how security products are designed and developed. This makes a huge difference when I speak with CISOs, because they know that I appreciate the challenges they are facing – such as having to stand in front of their board of directors and justify spending on cybersecurity.
It’s not that business leaders don’t believe security is important – we’ve come a long way since those days – but often, security teams don’t make their case from a business perspective. That’s another key learning I’ve brought back into my current role:
Translating the technical risks into business language is often where our industry fails. After all, it’s all very well to say you need multi-factor authentication or endpoint protection, but if the CEO doesn’t understand how this impacts the company’s risk level, they won’t approve it.
This is where I come in. My goal is to bridge the gap between the value of the technology Microsoft provides and what the customer wants to achieve for their business with security. And this means asking a lot of questions.
Starting with the ‘why’ allows me to get a handle on an organization’s underlying rationale for requesting a certain type of technology, and it forces the customer to re-examine their assumptions too. Sometimes we may end up concluding that a Microsoft product isn’t the best solution after all! When that’s the case, I’m not afraid to say it. Perhaps we don’t have the answer today, but it’s something to consider tomorrow.
This brings me to another key part of my role: sharing customer feedback with Microsoft engineers and developers. I don’t go back and demand specific products or solutions, of course, but I am in the unique position of being able to let them know when certain customer scenarios have highlighted where we could be doing more or doing something differently.
Sometimes security people are perceived as barriers to progress within an organization; the people who will say ‘no’ to anything cool or innovative or potentially game-changing for the business’ bottom line. But while it is every security officer’s job to be paranoid – they spend their days dealing with the bad guys after all – what they really want is to help every individual do their job in the safest and most secure way possible. They want to be involved in solving the problem, rather than just saying ‘no’.
Ultimately, it’s this opportunity for problem-solving that makes cybersecurity such an interesting field to work in.
Right now, for instance, our industry is confronted with the challenge of protecting millions of people who are suddenly working remotely because of the COVID-19 pandemic, as well as fending off new coronavirus-themed malicious cyberattacks. And I’m sure that tomorrow there will be a new challenge we haven’t thought of yet. Working in cybersecurity is many things, but it’s never boring.
To read the story in German: “Warum Sicherheit ein waschechtes Geschäftsproblem ist“