Wendy Nather (director of Advisory CISOs at Duo), Chad Loder (CEO and co-founder of Habitu8), and Manju Mude ("Paranoid" Security Leader at Oath) discuss how effective CISOs work with their counterparts and build relationsihps.
There is a perception that security is about restricting (or allowing) what people can do with the technology. Another is that security teams "holds complete power" over the risks--the responsibility is spread out over the organization, especially among the builders and managers that own the product, Mude said. "We [security] are the guidance, the guideposts."
Nather introduced the idea that security was a service function and not a control function. While it would be nice to be able to insist that people do certain things, that isn't how things work in most organizations. "You can't lay down the law," Nather said.
Loder agreed, noting that CISOs are "educators, not enforcers." One way to understand the effectiveness of the security team is by looking at the demand for security services, Loder said. "I'm a big fan of saying, 'Here's our team. Here are the things we can do for you.'"
There are many in the business who are more concerned about auditors than they are of hackers because they see the situations involving auditors more often. Security professionals are "seeing all the fires all the time, and you start thinking everything is on fire all the time," Nather said. That is not the view the business leaders have, so their perceptive of the likelihood of something going wrong is different from that of a security leader. Nather said. "Who's to say you are right and they are wrong?"