The saying ‘no good deed goes unpunished’ often applies to cross-functional work within organizations.
There is not enough cross-functional collaboration between security and related IT disciplines, and when there is, those who participate are just as likely to be asked why their regular work is being slowed down as they are to be rewarded for their teamwork. Practitioners are generally trained to stay within their area and not to spend much time outside of their specific domain.
That’s a big problem because the risks and threats facing organizations today are too numerous and complex to be dealt with exclusively by the security team – or any one function, for that matter. Cross-functional communication and leadership skills among a range of IT and IT-adjacent fields, such as security, privacy, risk, assurance, governance, quality and more, are needed to devise and implement the multilayered solutions enterprises require to meet the many challenges at hand.
It's great for a company to build a strong security team or a risk management function, but ultimately, what do today’s enterprises need to attract and retain customers amid such a perilous threat landscape? The big-picture answer is to build digital trust in their products and services.
ISACA, a global technology nonprofit association, defines digital trust as “the confidence in the integrity of relations, interactions and transactions among providers and consumers within an associated digital ecosystem.” Security is part of digital trust but just one piece of the equation. Attaining digital trust is a group project that cannot be done in silos, but unfortunately, too many companies are not yet in that mindset. In ISACA’s recent State of Digital Trust 2022 study, only 12% of respondents strongly agree that there is sufficient collaboration among professionals who work in digital trust fields. In many companies, the organizational culture reinforces a stay-in-your-lane mentality, and there’s not much sustained commitment for working cross-functionally.
That needs to change, and security teams should do their part to drive toward the broader mission of advancing digital trust. There are many security professionals who are adept at specific areas: endpoint security, identity and access management and threat hunting, etc. There is certainly a place for specialization, but it is important that the team includes people who recognize the importance of sharing knowledge, learning from other teams and finding areas of overlap to approach transformation projects (digital trust and digital transformation go hand-in-hand) with a holistic approach.
For instance, suppose an organization decides to build and provide an online service that matches gig workers with companies that need certain skills. In order to achieve a high level of digital trust with that service, security professionals need to work with product management, software development, privacy professionals, and others. The organization needs a cross-functional digital trust working group that spans the stakeholder organizations and functions. This working group could be led by someone on the security team or someone else with security professionals playing a strong role. All stakeholders need to be aligned on the role of this group and agree to abide by its requirements and strongly consider implementing its recommendations. The working group could use a digital trust framework to determine what the service will need to achieve digital trust. The members of the working group are not only responsible for collaborating with each other, but also to champion and ensure that requirements are met and recommendations adopted.
Generally, the bigger the organization, the harder it is to achieve cross-functional collaboration and alignment. Most modern CISOs in larger organizations are business-savvy and well equipped to lead cross-functionally. Ideally the CISO – or perhaps somebody a layer or two below the CISO – takes on spearheading cross-functional collaboration as part of their role. Smaller organizations are more used to working cross-functionally and accustomed to working with anyone and everyone to get the job done. At smaller organizations that might not have a full-time CISO, buy-in from the CEO on the importance of collaborative projects is crucial.
Whether it is the CEO, the CISO or another executive, enterprise leaders need to set the course for prioritizing digital trust by ensuring that enterprise-wide collaboration is viewed as more than an extra credit assignment and instead part of people’s job descriptions. It must be made clear that to achieve digital trust, practitioners are going to have to take part in ongoing dialogues – just sitting in your office or at home and doing your work will not take the organization where it needs to go. Companies that view participation in cross-functional teams as a hobby and not a core responsibility for team members will struggle to achieve digital trust. Not only are cross-functional communication skills needed, but so are cross-communication leadership skills and the ability to persuade others to engage when they don’t report to you. I have found that volunteering for industry associations is a great way to develop these collaborative skills that translate extremely well to success in the workplace.
Digital trust should already be top-of-mind for enterprise leaders and will become more vital going forward, as reinforced by the 82% of respondents in the ISACA State of Digital Trust survey who expect digital trust to be more important to their organization in five years. Across the enterprise landscape, we have plenty of work to do to learn how to collaborate effectively across IT domains, but as progress is made, the pursuit of digital trust will feel more real, more achievable and, therefore, increasingly important for organizations. Digital trust might seem aspirational to many companies today, but customers are beginning to expect it – and will extend their loyalty to the companies that can deliver.