What are the best strategies for new technology leaders to propose & implement change at their organizations?
Sort by:
One of the CISOs I used to work with many years ago had a concept that security is the enabler of a frictionless ecosystem. So if you manage it correctly, you can pivot the conversation around the fight for change because you become the lead-in and can actually help support driving revenue if it's designed correctly. We're sort of at that point right now, because the more breaches that occur, especially in my line of business, I actually have to go in prior to the sales rep to explain how we'll secure this stuff. It's an interesting dynamic.
My previous role was at a 13-year-old startup as far as I was concerned, so it was a mad rush to get all the basic security stuff in place. I really took my time to really understand and make connections before I started making any changes because things had been the way they were for a while. It was also helpful for me to educate people who didn't understand how things evolved. They’d start out saying, “We've always done it this way.” But then I’d get people to admit, “Well, actually this wasn't my process. I inherited it and it's just what I do and maybe it's time to rethink it.”
Even though my role is IT and security, security is obviously the biggest hotbed right now for a lot of companies. Last year when the “new concept” was everybody on shift-left and InfoSec first, I said, “Where the hell have you been for the last 5-10 years?” I put the onus on the developers all the way through. As for the security component, I said, "I’ll give you an example of a top security company that was infiltrated from the backend, the code was checked in, it was compiled and it was delivered to the clients. And, the orchestration took a long time and it was a nation state effort, but guess what? That was SolarWinds."
If you're going to tell me that endpoint protection, VPN, etc., are not critical path items then I'll be giving my notice. You have to take into account every endpoint, every piece. A lot of that, in the security realm, is not assuming anything. It's culture.
Try spending a week or two just talking to people without diving into the tech, and really hone in on the lay of the land, because even though you've arrived at what the answer may be in your head, there's another layer of validation in there, and there’s value in making sure you're hearing the story correctly before you dive in with a technical solution. And from the business perspective, being able to spit back what you've heard from the business in their language before you move forward with the technology will also be a powerful tool for you.
That's why I haven't engaged with any vendors yet. In my last role there were a lot of things I implemented from an authentication standpoint—security alerts, monitoring, endpoint—all of the wonderful things you get at major corporations where you had InfoSec and you fought for the budget. I'm now at a startup. I have an arsenal of vendors that I can plug and play, but I want to hear everything first. I tell folks, “I'm a CTO, but not what you think: I'm a Chaos To Order guy. Bring it to me, I'll clean it up.” I thrive in the chaos.
Obtain buy-in by demonstrating end user experience enhancement. oftentimes we think from technology perspective but how will it affect users downrange that is the real question. If you involve them early enough and have their input into your proposed changes they will be much better accepted and executed vs. top down decision making or decision making where end recipients of said services have 0 involvement in their selection.