Walking the Tightrope Between Innovation & Risk

When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring innovation and security coexist.

Jill Knesek, CISO, BlackLine

October 10, 2024

4 Min Read
Silhouette of a person walking a tightrope; the tight rope is being held on either end by hands
Source: lorenzo rossi via Alamy Stock Photo

COMMENTARY

July's CrowdStrike incident serves as a stark reminder of the unintended consequences organizations face when innovating to enhance security and streamline operations. Using best-in-class technology is usually a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it's equally important to be cognizant of how that technology will be deployed and the amount of risk it can create. I've deployed CrowdStrike as one of my endpoint security tools, and standardizing on this solution allowed for my security operations to be automated, and created muscle memory among my security engineers. This resulted in a faster and more streamlined response to security alerts.  

However, the CrowdStrike incident served as a sobering lesson about the potential consequences of real-time misconfigured updates on critical business operations. This has opened my eyes to thinking about risk and innovation in a slightly different way. It's not just about selecting a vendor with a strong security program, but also about considering the breadth of the implementation of the vendor product, as well as the way the product is updated across an environment. By understanding these different elements, enterprises can make more informed decisions to manage innovation against risk in a controlled manner. 

Interestingly, some companies' reliance on older operational systems shielded them from the direct effects of the CrowdStrike incident. While their outdated technology was once viewed as a liability, it became a surprising advantage in this case. This scenario suggests that the trade-off between innovation and risk may be inevitable. However, both are achievable. So, how can CISOs strategically balance both to ensure secure, forward-thinking operations? 

Bridge the Barrier in the Boardroom 

CISOs often face the misconception of being barriers to innovation within the boardroom. To dispel this, we must reframe the discussion from a "security versus innovation" perspective to one of "secure innovation."  

Security and innovation are not mutually exclusive, nor should they be. When security is integrated early in the development process, it ensures that innovations are both groundbreaking and secure. CISOs must proactively reach out to other leaders across the organization, from the chief technology officer (CTO) to the chief financial officer (CFO), to ensure security is factored into strategic decisions from the beginning. It's about building relationships, where security becomes as natural as brakes on a car — essential for control but enabling speed and progress. 

Foster a Culture of Security

One of the most important roles for a CISO is to be viewed as an enabler to innovation instead of a blocker. In reality, the role of a CISO extends far beyond protecting systems; it involves communicating risks at a business level and ensuring that security enables progress rather than stifles it. The key to achieving this lies in fostering a culture of security involving the entire organization, from leadership to employees in the field. 

As the first line of defense, employees are crucial to establishing a security-first culture. Daily interactions with third-party vendors and potentially malicious content expose them to risks that can compromise the entire organization. 

A powerful way to engage employees in this mission is by making security personal. Phishing attacks, data breaches, and threats to personal banking information are tangible examples that resonate with employees. When people understand that their actions can directly affect their own security, as well as the company's, they become more motivated to adopt secure practices. With a security-aware employee culture, defense strategies are baked into innovation efforts from the start. 

You're Secure, but Are Your Vendors?

The sheer volume of the third-party relationships we manage keeps me on my toes. A single compromised user from any vendor could trigger a company-wide incident. After all, hackers only need one successful attack while security teams must be right every time. 

For CISOs, this means that secure innovation doesn't stop at internal processes — it must extend to the vendors that support their IT landscape. Collaborating with technology peers to better understand and mitigate risks is key to fostering innovation without increasing the cyber-risk. Equally important is building strong, proactive partnerships with third-party vendors to verify they are prepared to respond at scale when disruptions occur. 

To optimize this process, CISOs should focus on understanding which vendors are critical to the corporate infrastructure, particularly those involved in environments that require frequent updates. By ensuring these vendors follow rigorous testing protocols before rolling out changes, companies can better manage the trade-offs between innovation and operational stability.  

Security-First Innovation

CISOs must lead the charge in integrating security-first practices into the heart of innovation, positioning themselves as trusted advisers who enhance the company's overall objectives. By coming to the table with solutions rather than simply highlighting risks, we can shift the dialogue from "security will never approve" to "security can help make this better."  

This cultural shift fosters collaboration with executives and third-party vendors, embedding security into every phase of the organization's growth. When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring that innovation and security coexist.  

Read more about:

CISO Corner

About the Author

Jill Knesek

CISO, BlackLine

Jill leads all information security programs at BlackLine, including promoting information security awareness within the company, ensuring the confidentiality, integrity and availability of clients’ data, as well as BlackLine’s internal information resources, managing incident response teams and also facilitating adherence to security industry best practices and regulatory compliance requirements. 

  

Jill came to BlackLine in April 2022 with more than 25 years of cybersecurity experience working in both internal and customer-facing roles including serving over 15 years in CISO positions at Cheetah Digital, Mattel and BT Global Services. Previously, Jill served as a Special Agent for the FBI, assigned to the Cyber Crime Squad in the Los Angeles field office where she was the lead case agent for several high-profile cases, including the infamous Kevin Mitnick and MafiaBoy investigations. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights