Want faster products and stronger trust? Build security in, not bolt it on

In this Help Net Security interview, Christopher Kennedy, CISO at Group 1001, discusses how cybersecurity initiatives are reshaping enterprise cybersecurity strategy. He explains why security must be embedded across IT, business lines, and product development, how automation and risk discovery can drive competitive advantage, and why security leaders need to play a central role in shaping business outcomes.

Traditionally, cybersecurity has been seen as a cost center. What are the most compelling ways it can now drive business value or competitive advantage?

Security leaders must get ahead of infrastructure security issues. Most breaches take place due to poor IT hygiene. If the security team is policing hygiene as a mission, they will only be seen as the IT janitor. Unfortunately, any board or executive leadership team that still thinks this way, and doesn’t recognize the organizational dependence on technology, or doesn’t seek to understand modern threats, isn’t positioned for success.

In order to elevate security, rising tides must raise all ships. IT and business lines must understand their security responsibilities, and security must be effective at being the leader, coaching to drive that evolution across all business and functional support spectrums.

Risk avoidance starts with risk discovery and education. Through speed of response or strategic awareness and plans, this alone can be a competitive advantage in leading an organization to be more effectively defended. We can better survive industry threats.

Using automation like cloud configuration compliance, SAST, DAST, SBOM, and SCA technologies integrated into the IT and application SDLC can speed application development by identifying flaws through the development lifecycle. This can reduce costly fixes post-release or, at a minimum, ensure clear awareness of exposure when they emerge, not after costly exploitation.

Security and IT debt and its associated impact on the value of an M&A are finally evolving and are richly considered in deal negotiations.

A strong security team and analytics capability can service adjacent threats considering the convergence of physical, people, and insider threats and ways to combat them. With the continuing persistence of fraud, mature security access control and analytics capabilities are often a critical defensive component.

Can you speak to how cybersecurity initiatives are influencing product development, customer trust, or time to market today?

Customer trust is paramount in the insurance business. Demographics often lean toward older customers at or approaching retirement. This means that as security professionals, we’re protecting the lifetime nest eggs of our clients and, in aggregate, our critical national financial infrastructure. Customers expect us to do a great job protecting both their and our future, as we both benefit from it.

For a business to be successful in both a business capacity and protecting the entrusted funds of our clients, security must be woven culturally through the fabric of how an organization operates. The Sec in DevOps, a seat at the table in product creation/evolution, and a strong product (technology governance function) are key to building product and underlying systems that are inherently more trustworthy and get to market faster. This is because security is built in through the design vs. bolted on, or worse, at risk until remediated. A culture of continuous testing and inherent validation must be accepted to ensure product, code, or process quality.

What are the most important security metrics that resonate with business stakeholders?

The most important factor in metrics is to make metrics that matter and will be used to manage results, not data. Quality metrics often have many layers and are often built on and depend on good data and technology hygiene. It’s important to recognize which metrics you can reliably adopt through the maturity curve.

A few that I have focused on include:

• Infrastructure compliance and who’s responsible. These systems are NOT safe and secure because of an IT issue in configuration enforcement, patching deficiency, third-party software flaw, and more. Dashboards of visibility on basic system management issues are incredibly operationally illuminating (if used).
• Developer flaw/using security automation to illustrate bad software practices by an individual, team, or unit. Who releases the “cleanest vs. the dirtiest code” and why (rushing, sloppy practices, adherence to standards, training, etc.). This one is more of a managerial metric than a security one, but fixing the root cause should be the focus.
• Automated security testing, breach and attack simulation, and penetration testing. This includes control adherence and efficacy (it works or it doesn’t) and security pipeline confirmation (all my logging and response trails are firing as expected, MTTR—how long it takes to detect, respond, and remediate). Speed is the discriminator of incident response. Gone are the days of the narrow-scope annual pen test. Use automated testing to define the security report card and to demonstrate regulatory compliance cleanly. Do it every day, with every release.
• More subjective metrics around access – “blast radius.” Create and use asset inventories and BCM data to define critical assets and use access visibility to those assets to define “radioactivity” and access availability thresholds. Drive this into access certification campaigns.
• Use comprehensive assessments of critical third parties (not just internet-facing scans) to define dossier-based assessments of strategic third parties’ risks. Test those concerns where contractually feasible. Use this intelligence to drive strategic sourcing decisions: Who is the most strategic, highest risk vendor? Why? What are we doing about it?

Should security leaders be more embedded in product, engineering, and business strategy discussions? If so, how should that integration work in practice?

Yes, in many ways. Rafeeq Rehman’s work is the best way to introduce an immature organization to what the job entails.

The organization has a diplomatic responsibility to have the right talent to participate, with or without great governance, in all significant business efforts:

• A seat at the leadership table and an executive culture to work with security integration/observation into major business projects and efforts to be able to insert where appropriate.
• Technical visibility to defend the environment comprehensively, and committed stakeholders to manage access, data, and connectivity. Security tools don’t tune themselves.
• Strong influence on corporate policies, IT architecture, and operating standards with the ability to both lift a pen to change rules and behaviors and contribute code to fix issues.
• An org structure with the capacity to be value added across all these spectrums.

What are some underappreciated ways cybersecurity will shape enterprise strategy in the next 3–5 years?

GenAI will amplify the risks of a weak data protection strategy. Those who govern adoption well will be positioned to grow. Others will potentially lose the farm in regulatory or IP loss issues.

Inherited third and fourth-party risks continue to be a struggle in risk transfer. Security will play a bigger role in contracting, assessments, and continuous diligence. Post-breach contract terms are not enough to recover when your business is down or suffering another reputation hit.

Spying is evidenced to be back after the DPRK remote worker disclosure from Knowbe4. The same tactics are being used, but with new techniques. Security will span across the human lifecycle, playing a stronger role or beefing up people intelligence, insider threat behavior analytics, and more. Remote work presents a new opportunity in an old strategy.

The tragic UnitedHealthcare CEO assassination and political volatility will mean security’s threat intelligence capabilities must move beyond commoditization. Comprehensive organizational sentiment analysis and open source discovery of exposure to all public business and executive operations will become table stakes. Security is moving from a business protection function to an enabling life safety one.