SUSAN KOSKI

What does it mean to build a culture of security in a business? All too often, the security organization is associated with the voice of “no.” Given the pace of the digital economy and the business need to be proactive for competitive advantage, security must be an embedded part of all solutions. Instead of saying “no,” a security organization must be able to say “yes” while detailing the operating conditions that enable that yes. If security is seen as the voice of “no,” then serious security risks may not be identified, placing the business and company at a greater risk. The security organization must evolve to become a trusted advisor to the business.

The pinnacle of achievement is when, instead of being avoided, the security group is actively sought out for advice. Businesses reach this pinnacle when the culture of security is so embedded that when new or changing initiatives are presented, security is woven in throughout the design, build, and implementation. Without this embedded culture of security, solutions will be delivered without the proper controls, which can lead to breaches and to customer and shareholder dissatisfaction. The CISO's job—and everyone's job—is to enable the business to drive their car as fast as they need to with the proper safety measures such as brakes, air bags, and seatbelts in place to attain an acceptable safety level.

Depending on where the security organization is relative to maturity, this ...