For example, she said IT security shouldn’t fear cloud computing, which allows organizations to create a pattern of infrastructure, wrap security controls around it and then replicate in a centralized way.

“Your job is not to stand in front of cloud but  to figure out how to enable the organization to rapidly and radically adopt the cloud not just for economics but to improve the overall security posture,” she said.

Similarly, CISOs need to embrace agile software and business development processes by making sure security teams are advising on risk.

Don’t waste time worrying about millennials who seem to ignore security policies, she said. Instead use them “as an opportunity to radically change the way you approach security.” For example, divide employees into blocks of users, each with a separate security policy: Privileged users have to use corporately-supplied devices, general users can bring their own.

But arguably her central message is that IT security teams have to create a better brand. “You don’t want to be ‘The House of No.’ You want to be known for innovation. ‘My job as a security team is to participate in the creation of innovation with confidence’ — Something hokey like that. Define a mission statement. Define yourselves as partners and advisors and sources of dependable and simple information.

“The reality is business folks want you to be your partner but don’t know how to talk to you.”

Also, she urged CISOs to talk about risk in business terms to managers and executives. So, for example, let them know there is a risk of forced code compromise in an application that will steal customer information. Or in a medical device that could kill a patient.

Related Download
Sponsor: Acquia
Can we save the open web?
Join the creator of Drupal, Dries Buytaert, in a discussion about the web’s evolution, how we can put the power of the internet back into the hands of the people, and how you can prepare your organization.
Register Now