Walking the tightrope between innovation and risk

COMMENT

July CrowdStrike Incident serves as a stark reminder of the unintended consequences organizations face when innovating to improve security and streamline operations. Using best-in-class technology is generally a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it is equally important to be aware of how that technology will be deployed and the amount of risk it can create. I deployed CrowdStrike as one of my endpoint security tools and standardizing this solution allowed my security operations to be automated and created muscle memory among my security engineers. This resulted in a faster, more streamlined response to security alerts.

However, the CrowdStrike incident served as a sobering lesson about the potential consequences of misconfigured real-time updates on critical business operations. This opened my eyes to thinking about risk and innovation a little differently. It’s not just about selecting a vendor with a strong security program, but also about considering the breadth of the vendor’s product implementation as well as how the product is updated in an environment. By understanding these different elements, companies can make more informed decisions to manage innovation against risks in a controlled manner.

Interestingly, some companies’ reliance on older operating systems shielded them from the direct effects of the CrowdStrike incident. While its outdated technology was once seen as a liability, it has become a surprising advantage in this case. This scenario suggests that the trade-off between innovation and risk may be inevitable. However, both are achievable. So how can CISOs strategically balance both to ensure secure, forward-thinking operations?

Overcome the barrier in the boardroom

CISOs often face the misconception that they are barriers to innovation in the boardroom. To dispel this situation, we must reframe the discussion from a “security versus innovation” perspective to a “secure innovation” perspective.

Security and innovation are not mutually exclusive, nor should they be. When security is integrated early in the development process, it ensures that innovations are innovative and secure. CISOs must proactively reach out to other leaders across the organization, from the chief technology officer (CTO) to the chief financial officer (CFO), to ensure security is factored into strategic decisions from the start. It’s about building relationships, where safety becomes as natural as the brakes on a car – essential for control, but enabling speed and progress.

Promote a culture of safety

One of the most important roles of a CISO is to be seen as a facilitator of innovation, rather than a blocker. In reality, the role of a CISO goes far beyond protecting systems; It involves communicating risks at an enterprise level and ensuring that security enables progress rather than stifling it. The key to achieving this lies in promoting a safety culture that involves the entire organization, from leadership to employees in the field.

As the first line of defense, employees are crucial to establishing a safety-first culture. Daily interactions with third-party vendors and potentially malicious content expose them to risks that can compromise the entire organization.

A powerful way to engage employees in this mission is to make safety personal. Phishing attacks, data breaches, and threats to personal banking information are tangible examples that resonate with employees. When people understand that their actions can directly affect their own safety, as well as that of the company, they are more motivated to adopt safe practices. With a security-conscious employee culture, defense strategies are integrated into innovation efforts from the beginning.

You’re safe, but are your suppliers?

The sheer volume of third-party relationships we manage keeps me on my toes. A single compromised user from any vendor can trigger an enterprise-wide incident. After all, hackers only need one successful attack, while security teams must always be right.

For CISOs, this means that secure innovation is not limited to internal processes – it must extend to the vendors that support your IT landscape. Collaborating with technology peers Better understanding and mitigating risks is critical to promoting innovation without increasing cyber risk. Equally important is building strong, proactive partnerships with third-party vendors to ensure they are prepared to respond at scale when disruptions occur.

To optimize this process, CISOs should focus on understanding which vendors are critical to the enterprise infrastructure, especially those involved in environments that require frequent updates. By ensuring these suppliers follow rigorous testing protocols before implementing changes, companies can better manage the trade-offs between innovation and operational stability.

Innovation that prioritizes safety

CISOs must lead the integration of security-first practices at the heart of innovation, positioning themselves as trusted advisors who advance the company’s overall objectives. By presenting solutions rather than simply highlighting risks, we can shift the conversation from “security will never approve” to “security can help improve this.”

This cultural shift promotes collaboration with executives and third-party vendors, incorporating security into every phase of the organization’s growth. When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring that innovation and security coexist.