To be successful in the boardroom, security leaders need to clearly articulate how their roadmap will help the business, not just secure it. Think about multi-factor authentication as an example. While it’s hard to prove ROI on this, you can market it as something that will improve employee satisfaction. How? Because once you have MFA on all external facing systems, you can reduce the number of times per year that you force employees to change their password. NIST recommends only changing passwords once per year if you are using MFA. What about implementing Single Sign-On or an Identify and Access Management system. These can be complex and expensive, but if you are able to show the number of hours of productivity gained by team members having access on day one as well as having the correct access, you can demonstrate their value. In addition, if you are highly regulated, the number of hours spent on access reviews will go down drastically since it will be automated now.

And finally, I love it when I start a new role and run a full vulnerability scan. Understanding that many applications are now in the cloud, this still gives some great insight into a full application and server inventory. Using this list, the security team can usually save the company money because many systems may still exist that were deployed by a former team and are no longer being used, but the company is still paying for them. In addition, this can help determine if there are multiple tools performing the same function. As such, you can consolidate and save the budget once again.

Security can save the company money and reduce complexities. Robotic Process Automation and Security Orchestration and Automation are great for patching and vulnerability management as well as self-service user provisioning and application deployment. However, for this to work, there must be a great partnership between the Security and the Infrastructure teams. Security can frequently be perceived as a big brother amongst other IT teams. By running scans, we point out problems with how the infrastructure team has configured or patched systems. Or how the application team hasn’t used the OWASP top 10 lists with their SDLC. The partnership is the key to this challenge. Don’t send up your first security dashboard without giving the apps and infrastructure team a heads up and give them a chance to respond. Don’t just send a PDF of the problems and expect them to fix them in a week. Work with the teams using a defect tracking system. Be a part of the solution! This is how to win friends and influence people and earn a seat at the C suite table!