To succeed in security, think about the business

Deep security knowledge isn’t the only skill CISOs need. To succeed as a security leader, knowing how security can enable the business, especially around providing a better user experience, is also essential, judging by a panel discussion at the Financial Services CyberTech Forum, which was recently held in London.

Security is a part of the business

Conducting security in a silo independent of the rest of the business leaves organizations open to attacks, said several people on the panel, which was comprised of CISOs and security executives from banks and financial services companies. Data breaches can impact revenue and lead to large fines, making information security a board-level topic, said one panelist.

Security needs to be considered from the start of a project, said a CISO on the panel, whose participants couldn’t be disclosed in order to allow them to speak candidly. Often times, security teams are brought in just before a product is about to launch or an application or services is purchased. Saying no at that stage makes the information security department seem like a business impediment, the CISO said.  The challenge, he said, is balancing a business’ need to innovate and work quickly with the need for security.

To remedy this, several speakers on the panel, which was moderated by Veridium CRO Jason Tooley, suggested that security leaders talk to their counterparts in other departments. This allows information security staff to learn what projects people are working on and point out security concerns so they can be corrected early on. Collaborating with other departments shows that security teams want to enable business, not stymie it, said one panelist.

Always keep the user in mind

As companies turn to technology to improve and secure their businesses, some panelists cautioned to not forget about the users since they’re the people who are impacted by any changes. In fact, one panelist recommended educating users on any changes to security features before implementing them. The people who will use the features needs to know how the changes will affect them, he said. Incentives could be required to get users onboard with the changes, he added.

Ideally, new security features would also improve the user experience, which could make people more open to adopting them, said another panelist. To provide a better user experience, one panelist suggested placing smartphones at the center of any security plan since most of the employees at her bank use their phones more than their laptops. Another speaker agreed, saying that employees have grown accustomed to the seamless, fast and convenient experience consumer technology provides and expect a similar experience with the technology at work.

But don’t instantly apply aspects of consumer technology to the enterprise, especially around security, warned one CISO. He said that a too little friction could worry security-minded individuals and cause them to feel that security is being traded for convenience. He called for a gradual adoption, adding that implementing security isn’t as simple as flicking a switch.

Security leaders are looking beyond the password

On the topic of using passwords for authentication, CISOs are considering other options, such as using passphrases instead of passwords. Some are looking into passwordless authentication, which does away with passwords completely. Instead, people use their smartphone and biometrics to authenticate. Going passwordless fits with the approach one CISO adopted of placing users first and then developing the security program around their experiences. He said that his employees use their smartphones for nearly every task and wanted his company’s authentication process to leverage these devices. Security has to be part of the digital experience, he said.