Moving fast can be a good thing but not at the cost of security — as the AI boom puts immense pressure on product teams to quickly bring products to market ahead of competitors, CISOs can seize this moment to show how security is a powerful business enabler.
The security of a product can make or break a launch, and no one understands this better than a CISO who must align risks and mitigants with their organization’s risk appetite. Sometimes, CISOs must say no to emerging tech, especially when the risks are not fully understood nor mitigants fully implemented, and that can be challenging at a time like this when AI adoption is skyrocketing.
This is a watershed moment we’ve seen play out before and there are good lessons to recall. Think back to over a decade ago when cloud experimentation and migration were expanding rapidly. When CISOs actively blocked cloud, they were circumvented and ended up having to bolt on security after the fact, which resulted in a less-than-ideal security posture.
But CISOs who leaned into the potential of cloud and learned about its security benefits were able to support their business colleagues along the way to ensure that anything built or deployed in the cloud would meet or exceed their security standards — illustrating that security investments offer significant business outcomes.
Over time, the CISO’s role evolved from a reactive technical role to being the security expert who proactively weighs in on business decisions and counsels the CEO and board. This means that business goals and outcomes can be directly impacted by whether a CISO says yes or no to requests.
Avoiding the perception of security as the Department of No
To support their initiatives and effectively communicate risk, there are times when CISOs must say no, but the conversation should not stop there. Security departments cannot afford to be viewed as a roadblock to innovation, or the Department of No, especially when it comes to the demand for AI.
Instead, they should strive to be viewed as the Department of Yes and, where they are fully leaning in to support business objectives, along with the responsibility of explaining and mitigating risks. Saying no and being the Department of No are two very different things and shifting this perception through conversation enables CISOs to educate the company on the risks.
CISOs should seek every opportunity to embed security into new innovations from an early stage rather than giving rise to shadow IT, or having to bolt security on later, or postponing innovation indefinitely.
Turning no into a catalyst for yes
To unlock the power of no, CISOs must track how many times they must decline requests from the business, why, and what it actually costs in terms of potential lost market share. For example, say a CISO has repeatedly been pushing back against a new feature because they don’t have the technical or cultural implementations to support the ask — it’s too risky.
They can approach leadership and say, “I understand the pressure to release this before our competitors and that it represents an $8-million opportunity. However, because we don’t have x, this is too risky for your appetite. If we do this without x, the $8-million opportunity could become an $8-million liability.”
Using this data, CISOs can then make a business case to show how security is tied to business enablement. With that support, a CISO can:
- Incubate a security culture program where everyone has a security responsibility. This will ensure security hygiene and ownership are taught at every level of the company to ensure each employee does their part in reducing risks.
- Justify the cost of a tooling team that builds and maintains CI/CD pipelines with the security checks built in, not bolted on — so developers get security feedback at every stage of the SDLC and can focus on features. Security should be seen as a priority at every step of product development – this is one way to ensure it doesn’t get lost in the process.
- Build a training program and embed a “security ambassador” in every product and engineering team. This will ensure products are built with a security mindset from the beginning — saving time and money down the line.
- Make security objectives clear (we must do X, Y, and Z) yet flexible (let’s focus on the objective). There are many considerations when it comes to security and it’s the CISO’s job to help prioritize and set realistic goals with the available resources.
These strategies result in developers being deeply vested in their release velocity and owning the security of their product. With security built in early with every product, there can be fewer surprises or late-night scrambles when it comes to production launch.
Moreover, these enhancements may help reduce how often CISOs must say no in the future because the culture of security improves, security investment is more commensurate with risk, and the executive team better understands cyber risk.
As the race to adopt artificial intelligence continues, distinguishing between saying no and being the Department of No has never been more important. CISOs have an opportunity to use no in terms of business risk and opportunities, to justify increased security and business resilience while maintaining the pace of innovation that modern businesses demand.