The role of CISO in combating the dangers of a “move fast, fail fast” culture

The concept of “go fast, fail fast” carries many risks. Take your time to win the race with methodical and focused work.

Today, many governments are betting their future on technology. In France, digital transformation is an important pillar of the national plan and is high on the government’s list of priorities.

Throughout human history, technology has been widely associated with progress, and the global pandemic has only accelerated the digitization process. And so we are in a frantic race, and those responsible for information and communication technology (ICT) need to make quick decisions.

CIOs are currently torn in two directions. On the other hand, commercial players who demand more flexibility, more services, and a better user experience for their customers and employees. They say that if the company can’t make the customer’s life easier, the customer will go somewhere else, and if you can’t empower the employees, they will simply leave. Agility is the “keyword,” and these actors seem to be obsessed with the basic concept.

On the flip side, company representatives rallied around risk management and pushed DSI in the opposite direction. CISOs clearly fall into this category. They understand the importance of agility and flexibility, but they approach business development from a different angle.

risk escalation

But while we appreciate the appeal of the “move fast, fail fast” model, CISO should remain a practical opponent of it. Software development conducted in a “race to new service” environment can benefit businesses, the market, and productivity. It may be necessary for some business.

But today’s CISO must judge these practices against recent trends. The computing environments they must protect have undergone major changes in their topology. Multiple domains now define the corporate network, making it highly heterogeneous.

For example, users are now spread across many environments. They can be found in company-controlled buildings, unsupervised third-party environments, and in their homes.

When it comes to agile computing, continuing as before is, in CISO’s mind, declaring a disaster sooner or later.

So the security manager must craft a message that touches all the actors in the company and leads them to think about the risks at each stage of the development cycle. As CIOs succumb to the resolve of marketers and the anxiety of board members, CISO must be the voice of reason.

CISOs should take advantage of their position as risk managers to report any instances where the implementation of smart IT leads to the abandonment of enterprise risk management.

In addition, they should look for ways to create a new chain of accountability for incidents related to change management, and insist that agile project managers take responsibility for any incidents that occur in the absence of due diligence.

Safety as standard

SecDevOps is an example of these changing cultures that include security as an indispensable element – taking risk into account becomes a standard requirement for all projects.

CISO knows enough to make a compelling case that it is easier, more economical, and more effective to integrate security from the start and at every stage of a project. They should insist on this point and never allow security to be relegated to an additional type of QA at the end of the development cycle.

To keep their employees and customers safe in the landscape of modern threats, companies and their technology teams must realize that strong security is about more than just regulatory compliance. They should advocate investing in the most effective tools and, where possible, using independent audit teams (red teams) that act as hackers to identify vulnerabilities.

Today, digital experiences occur in multiple environments. It is imperative that security tools allow operations teams to identify threats in hybrid and multicloud environments. Furthermore, existing security tools must adapt to the weaknesses and vulnerabilities offered by certain identity management software or mechanisms.

It is imperative that security tools also be flexible to respond flexibly to the rapid development of companies. The Chief Information Security Officer (CISO) must remain firm about risk management, but he must also give himself the means to obtain effective tools that allow him to make some concessions and eventually “sleep on his ears”.

slow and regular

It’s only natural that a business CEO, or even a CIO, would like to have flexible IT. In this regard, their role is above all to move quickly. So it is only natural that their actions focus on providing new services, rather than on risks. CISOs play a different role and provide a more measured response to market expectations. They should remind colleagues of the impact of a cyber incident and how costly it is to the company.

Agile projects are more important in business today than ever before. But for lasting success, risks must be taken into account. This requires systematic and targeted actions.

Many people around CISO still roll their eyes when they hear that “risks must be addressed before progress can be made”. However, if security managers persistently disclose the impact and costs of not following their recommendations, they will always win in the end.

Leave a Comment