Three Things a Value-Add Security Leader Should Be Doing.
This month, CyRise Elevate was joined by guest advisor Geoff Belknap, CISO at LinkedIn.
Geoff has had an interesting career. Whilst he sits as cyber security chief for the world’s largest professional network – guarding the personal data of over half a billion users – he is also no stranger to the entrepreneurial hustle of building security teams from the ground up. He began his career at Palantir, before moving on to become Slack’s very first Chief Security Officer. He joined Slack just two years after the company was founded and hot on the heels of a major security incident. Geoff eventually joined LinkedIn in 2019 as CISO and VP of Engineering, and is also advisor to a number of startups and philanthropic organisations.
When peppered with questions from the CyRise Elevate membership, Belknap revealed what may be a non-obvious truth:
Whilst many security leaders may be seen as a handbrake on growth, true ‘value-add’ security leaders aren’t employed only to prevent security breaches.
So, what should a security leader be spending their time on?
According to Geoff, great security leaders should see themselves as supporting and growing the business.
Geoff himself had this realisation whilst working at Palantir:
“I thought that safety – making sure there are zero breaches – was my #1 job. It turns out, that’s not the case. My job was to help the business grow quickly and thrive”.
During our session, we managed to extract from Geoff three jobs that he thinks a CISO should *really* be focused on…
1. Risk Assessment
Sometimes, helping your company grow means taking risks.
A high-value security leader is adding value by articulating how improving security will help the business to grow. A great CISO provides advice on which risks their company should be taking, and why you believe those are ‘good’ risks. This means staying laser-focused on the mission your business is trying to achieve, and acting as a translational layer between technology and business operations.
Bear in mind that no leader should take risks blindly. How you manage risk should be based on either compliance or your own ethics. If you’re fulfilling your regulatory and moral obligations, it’s probably an acceptable risk.
Remember, you’re not there to eliminate all risks. Sometimes, the best thing you can do to manage a known risk is do nothing.
“It’s not actually helpful to be Chicken Little, saying the sky is falling. Although it can be fun, it’s not actually useful to the business”, says Geoff.
02. Chief Storyteller
A Security Leader must tell the ‘security story’ of their company.
It is your job – and no one elses – to build a corporate culture where the security team is seen as an essential part of closing deals. To do this, Geoff says you must relentlessly tell the security story at every opportunity, until every employee can articulate what the security team is doing. When you hear your story coming back from people, you’re getting close to the point you can stop telling that story.
But until then – repeat that story!! Repeat! Repeat!
Be transparent
Belknap reiterated that telling your story means being transparent; a quality which can be difficult for any corporation. It is understandable that many companies don’t see the benefit in highlighting a security breach, but hiding it can damage trust:
“It is important for cloud providers — startup or not — to show that security is at the forefront”, says Belknap.
Belknap believes that cloud-based companies such as LinkedIn can only maintain their social licence to operate through radical transparency. A breach at any cloud service provider — even competitors — hits LinkedIn’s business. The public stigma attached to a security breach is often hard to shake.
“One of us being left insecure hurts everyone,” he said.
Communicate to your customers, too
What is the most valuable thing a security team can do? In Geoff’s opinion, the answer isn’t just preventing breaches – it includes implementing workflows for communicating to customers.
As a security leader, YOU are responsible for building customer trust.
“We all think security is important, but the business is important too – you have to find a path that is technically correct, and that also is good for the business. That’s also good for your customers”, says Belknap.
03. Business Ally
It is important that your company doesn’t see you as only the most technical person in the security team, or worse – a barrier to growth. The best security leaders help their company succeed, which means understanding the company’s finances, and the strategic role of security in the context of those figures. Put plainly – you must understand how your security function contributes to the business bottom line.
“So many times people in the security space forget that there are other people in the company where security is just not in the top five of the things that they are worried about. Do you really want the accountants to be thinking about security before they think about financials? No, you don’t”.
The TL;DR –
Geoff’s underlying message is that exceptional security leaders understand they’re not only there to prevent security breaches, they are there to help the business grow. The best cybersecurity leaders are able to articulate their role in terms of advancing business objectives, streamlining operations rather than stifling, and building customer trust by transparently outlining how the company is keeping their data safe. LinkedIn grows by remaining secure, building trust, and having thoughtful systems in place that enable it to move quickly – a world-class model for any fast growth company.
CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.
If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.