It was the best of times, it was the worst of times, it was the age of resilience, it was the age of weakness, it was the epoch rigorous protection, it was the epoch of unmitigated vulnerability, it was the season of vigilance, it was the season of disregard.

Two growing companies

Two security programs 

Two successful SOC-2 audits 

Two fractional CISO engagements

Two similar security tool and services profiles 

Two very different program trajectories.

IOmergent earns the privilege of partnering with many growth stage and emerging midmarket companies to build, or rebuild, security programs.  Contrasts and comparisons between these companies, their business contexts, cultures and strategies, even when anonymized, are often striking.

Security Governance 

Periodic, cross-functional security governance meetings are a critical best practice component across our client portfolio.  These meetings ensure that the security program stays aligned with business strategy and objectives.  They provide a forum to communicate status, highlight relevant changes and challenges, debate key decisions only client executives can make, and to celebrate the organization’s security and related privacy wins.

During a recent round of security governance meetings two companies of similar size provided a striking contrast despite having both needle against their security objectives earlier this year. 

Security Investments and Cultural Puzzles

One company, we’ll call it “London,” is scaling its security program to support its large enterprise customers and ecosystem partners and preparing to meet new certification requirements.  The financial drivers for this program have never been in doubt but there is also an underlying culture that causes executives and employees to embrace the protection of its individual end users.  

In contrast the second company, “Paris” is yielding hard-won security gains in pursuit of features and other recently prioritized projects.  This in spite of the continued business drivers for making security investments.  Further, the culture at Paris is both complex and multi-national.

London’s management team has engaged in security and privacy consistently for three years as part of how they grow and execute their mission.  Members of Paris’ management, after achieving a hard-won security objective, have started putting off or retreating from process improvements that support scale and velocity while reducing risk. Security is not the only victim. 

Since security was prioritized by the CEO and executive team at Paris, they have made and sustained investments elevating them above the so-called “security poverty line.”  However parts of Paris’ culture and circumstances have conspired to produce operational deficits in critical functions and these deficits are impacting the company’s ability to create and sustain important enabling security processes.  CISOs must routinely work through such challenges with their stakeholders, but in Paris’ case, the functions at issue are inescapably bound to a central component of the reason d’etre for their security investments.  

Security Must Meet the Business Where It Is

Security needs to meet the business where it is in order to enable the business to pursue its strategy and achieve its objectives in the optimally secure manner.  No CISO is an island and no security program can be effective and sustained without the buy-in and assistance of the business that it is protecting.  

Fractional CISOs, in particular, should lead in security-related transformation and improve resilience.  They can help change company culture but must work through full time executive leadership to gain agency at the outset.  Time is required to fully define cultural and interpersonal challenges, and find the levers to relieve them, even as company strategy, markets, objectives and personnel evolve and change.

We must be prepared to adjust, try new things, help with challenges that aren’t contemplated in the scope of a typical Fractional Security engagement letter.  On occasion, we must hold the mirror up to the client with empathy.  We must be prepared to bow out gracefully if we are unable to help our clients unlock core problems.

First Principles

Security is not the business of Paris, or any of our clients.  We strive to help clients make security an enabling function supporting the achievement of business objectives.  So it’s on us to recognize Paris’ situation and go back to first principles: reimagine how the security program can best support the business objectives and strategy given the constraints.  Identify the blockers, update and communicate the plan, recruit new allies that unlock the issues.