top of page
Search

The 7 Key Traits of a Healthy Security Program

  • Writer: Maxwell Zhou
    Maxwell Zhou
  • Mar 12, 2024
  • 5 min read

Security is a people-first business. Technology serves as a tool to solve the business’ problems. For security, the primary problem is protecting the business from unexpected loss due to cyber risk. Unfortunately, there is no straightforward solution to this today. 


As a security leader, you need to cultivate healthy conditions to enable the business to solve this problem.


I. Curiosity

Curiosity is the desire to learn.  It is not a trait unique to white-hat security professionals only. The threat landscape is always evolving. Attackers have a huge desire to learn when there is a lot to gain in finding new ways to disrupt and extract value.


So what’s the difference between curious and smart? Smart is about being resourceful and having the quick-wits to reference their knowledge to draw conclusions. A smart person will learn quickly, but a curious person will find themselves in new territory that doesn’t yet have answers. 


A curious team will position your organization with novel approaches to unsolved security problems, persistent vigilance of your security posture, and serve as an infectious force multiplier.


To express this trait:

  • Embrace experimentation: During project planning, there may be answers to questions we simply don’t know. Time box the analysis and encourage an experiment to attempt to uncover the answer.

  • Celebrate mistakes: A natural part of learning is making mistakes. Curious people make mistakes at an alarming rate as they overcome knowledge gaps. 

  • Host story sharing sessions: Learning is a non-linear endeavor. Polished lectures can feel robotic and unattainable. The story of how someone got to a conclusion will stick a lot longer than the conclusion itself.


II. Empathy

Organizational success is often measured based on what it can deliver. Security serves as an risk advisory role to the business. To serve as a trusted advisor, security should be focusing on the problems the business is trying to solve and identifying what is required to support that direction with the minimal risk. 


Supporting a decision with minimal risk to the business also means being pragmatic with what can reasonably be done about it. To be a true partner to the business, security should be trying to answer: “Do we have reasonable controls available to us today to support this initiative in a sustainable manner? If we don’t put them in place, what could most likely happen?”. 


To express this trait:

  • Set expectations: Recommendations should be realistic with what is reasonably possible with the current state of affairs. Control gaps should be documented as data for improvements, not blockers by default. 

  • Provide options: There are always multiple solutions to a problem. Be clear on the pros and cons to security posture with each option.

  • Quality output: The depth of analysis of your deliverables should instill confidence in your cross-department partner’s decisions. 


III. Engagement

We always hear “Security is everyone’s job”. The purpose of engagement is to get the entire organization behind the mission of security. That is to support the growth of the business and protect it from unexpected loss due to cyber risk. 


That means that security should be easy to work with, understand, and facilitate on behalf of the organization. A security program will naturally garner positive engagement when you build established partnerships within the organization.


To express this trait:

  • Define secure pathways: Secure pathways should be workflows based on patterns of common deliverables for the organization with security built in to ensure an interactive, guided process rather than rigid security checkpoints.

  • Assign security responsibilities: Every department is responsible for keeping the organization secure. Engineering teams should own the remediation of vulnerabilities, HR should own the comprehensiveness of the background check process, etc.

  • Recognize security efforts: Security is often seen as a “background” function. Communicate new security capabilities often, especially those owned by partnering departments to encourage future developments.


IV. Consistency

Nothing is more frustrating than inconsistent rule enforcement. It feels unfair, targeted, and discourages departments from further engagement. Inconsistency will breed distrust and ultimately lead to circumvention of established controls and processes.


The integrity of the security department is rooted in its ability to produce consistent guidance and service delivery to the organization. 


To express this trait:

  • Align on policies: Like any knowledge profession, guidance can often differ, depending on the person delivering. It is important to differentiate what is a requirement based on organizational standards and what is recommended based on their experience. 

  • Automation-first approach: Common tasks should be automated as much as possible. Autonomous governance systems ensure adherence to codified policies.

  • Standardize output: Use templates to define expected output for common deliverables (ex. Tech Spec Templates).


V. Inclusivity

Security shouldn't be for the "technical folks" only. By making security measures user-friendly, easy to understand, and adaptable to different contexts, executing and sustaining a strong product security strategy will become 10x easier. Security impacts the business - customer trust, legal liabilities, financial loss, business interruption, brand reputation, etc.

The primary goal here is to reduce the barrier of entry and enable any organization member to contribute.


To express this trait:

  • Educate: Technical folk have a tendency to assume others know what they know already. Always come from a place of teaching to unlock the natural curiosity of others.

  • Identify fundamentals: What are the top 3 security tasks a person can help with? Routinely share these calls to action at a regular cadence and share how it helps.

  • Make it easy:  Assume everybody wants to make a difference. Make those calls to action low-commitment and high-reward. What do you need to make that happen?

VI. Continuous Improvement

A country’s military does not exist to prevent a war. Their purpose is to detect and respond to national threats. 


Security’s mission is often mistaken as “breach prevention”. In reality, the organization should always assume breach and work towards reducing the impact and frequency of cyber threats. This means taking an iterative approach to their security posture.


To express this trait:

  • Identify weaknesses:  Nothing is going to be perfect. Before reacting, document the weakness and its impact. 

  • Holistic evaluation: It’s easy to get lost in a cycle of moving the goalpost. Take a step back at a regular cadence (ex. annually) to check yourself against the bigger picture.

  • Rank improvement plans: You can’t do it all. Rank the relative impact of each improvement plan


VII. Business Alignment

Ultimately, security serves the business, therefore, it is critical that all security initiatives are aligned to business objectives. Although deeply technical projects may serve as great resume fodder, it doesn’t necessarily translate to immediate business value. 


Alignment can often be interpreted as in “do what you’re told”. If your leaders need to consult you for every decision, it may indicate that your leadership is being interpreted as such. True alignment is the outcome of effective leadership.


To express this trait:

  • Define guiding metrics: Your leaders should rely on these as your guiding principles to steer decision, actions, and strategies towards desired outcomes. 

  • Reduce interrupt work: Develop a formal process to triage and action on interrupt work. If they do not align with guiding metrics, it is not urgent. 

  • Empower decisions: Communicate a prioritization framework for teams to independently act on behalf of the department’s best interests, without your input.

 
 
bottom of page