Walking the Tightrope Between Innovation & Risk

COMMENTARY

July's CrowdStrike incident serves as a stark reminder of the unintended consequences organizations face when innovating to enhance security and streamline operations. Using best-in-class technology is usually a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it's equally important to be cognizant of how that technology will be deployed and the amount of risk it can create. I've deployed CrowdStrike as one of my endpoint security tools, and standardizing on this solution allowed for my security operations to be automated, and created muscle memory among my security engineers. This resulted in a faster and more streamlined response to security alerts.  

However, the CrowdStrike incident served as a sobering lesson about the potential consequences of real-time misconfigured updates on critical business operations. This has opened my eyes to thinking about risk and innovation in a slightly different way. It's not just about selecting a vendor with a strong security program, but also about considering the breadth of the implementation of the vendor product, as well as the way the product is updated across an environment. By understanding these different elements, enterprises can make more informed decisions to manage innovation against risk in a controlled manner. 

Interestingly, some companies' reliance on older operational systems shielded them from the direct effects of the CrowdStrike incident. While their outdated technology was once viewed as a liability, it became a surprising advantage in this case. This scenario suggests that the trade-off between innovation and risk may be inevitable. However, both are achievable. So, how can CISOs strategically balance both to ensure secure, forward-thinking operations? 

Bridge the Barrier in the Boardroom 

CISOs often face the misconception of being barriers to innovation within the boardroom. To dispel this, we must reframe the discussion from a "security versus innovation" perspective to one of "secure innovation."  

Security and innovation are not mutually exclusive, nor should they be. When security is integrated early in the development process, it ensures that innovations are both groundbreaking and secure. CISOs must proactively reach out to other leaders across the organization, from the chief technology officer (CTO) to the chief financial officer (CFO), to ensure security is factored into strategic decisions from the beginning. It's about building relationships, where security becomes as natural as brakes on a car — essential for control but enabling speed and progress. 

Foster a Culture of Security

One of the most important roles for a CISO is to be viewed as an enabler to innovation instead of a blocker. In reality, the role of a CISO extends far beyond protecting systems; it involves communicating risks at a business level and ensuring that security enables progress rather than stifles it. The key to achieving this lies in fostering a culture of security involving the entire organization, from leadership to employees in the field. 

As the first line of defense, employees are crucial to establishing a security-first culture. Daily interactions with third-party vendors and potentially malicious content expose them to risks that can compromise the entire organization. 

A powerful way to engage employees in this mission is by making security personal. Phishing attacks, data breaches, and threats to personal banking information are tangible examples that resonate with employees. When people understand that their actions can directly affect their own security, as well as the company's, they become more motivated to adopt secure practices. With a security-aware employee culture, defense strategies are baked into innovation efforts from the start. 

You're Secure, but Are Your Vendors?

The sheer volume of the third-party relationships we manage keeps me on my toes. A single compromised user from any vendor could trigger a company-wide incident. After all, hackers only need one successful attack while security teams must be right every time. 

For CISOs, this means that secure innovation doesn't stop at internal processes — it must extend to the vendors that support their IT landscape. Collaborating with technology peers to better understand and mitigate risks is key to fostering innovation without increasing the cyber-risk. Equally important is building strong, proactive partnerships with third-party vendors to verify they are prepared to respond at scale when disruptions occur. 

To optimize this process, CISOs should focus on understanding which vendors are critical to the corporate infrastructure, particularly those involved in environments that require frequent updates. By ensuring these vendors follow rigorous testing protocols before rolling out changes, companies can better manage the trade-offs between innovation and operational stability.  

Security-First Innovation

CISOs must lead the charge in integrating security-first practices into the heart of innovation, positioning themselves as trusted advisers who enhance the company's overall objectives. By coming to the table with solutions rather than simply highlighting risks, we can shift the dialogue from "security will never approve" to "security can help make this better."  

This cultural shift fosters collaboration with executives and third-party vendors, embedding security into every phase of the organization's growth. When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring that innovation and security coexist.