In IT security, there’s a serious lack of respect for the people on the front lines.
While daily headlines are filled with data leaks, breaches and cyberattacks (think about the recent headlines that Marriott data breach produced, or the discovery of a 87GB cache of stolen email addresses and passwords known as “Collection #1“), good cybersecurity practices and those tasked with carrying them out should be top priorities with enterprises and C-suite leadership.
However, many security pros and CISOs think their jobs don’t earn the respect they deserve, with many believing that their company boards and leadership view their roles as keeping the lights on and systems running, and not as a source of innovation within the business.
These feelings are made clear in a January 24 study, Perceptions of IT Security Are Critical to a CISO’s Success, released by Thycotic, a security firm that focuses on privileged access management (PAM) security tools, and market research company Vanson Bourne. The two asked 200 IT security decision-makers in the UK and Germany about their enterprise’s approach to security and the role of the InfoSec team within the business.
The results: About 50 percent of the security respondents believe that company leadership views their role as maintenance. Only 23 percent reported that security is viewed as an innovation center: A place that secures the infrastructure, while helping the company meeting long-term goals and strategic growth.
More surprisingly, a paltry 9 percent view their role as “checking the compliance box,” a discouraging figure at a time when the European Union’s General Data Protection Regulation (GDPR), and other consumer privacy laws, have companies concerned about compliance and data governance rules.
Joseph Carson, the chief security scientist at Thycotic, noted that while the sample size comes from Europe, these feelings and beliefs are likely mirrored in the U.S. and other spots around the world.
In an email, Carson explains that part of the problem is that many companies’ approaches to cybersecurity have remained stagnant for the past two decades, while cyberattacks have evolved and laws and regulations such as GDPR are changing the way enterprises approach security.
“If you consider the transitions over the decades, we tend to try to make technology solve everything, and all of it has fallen into the IT Departments responsibility to make everything happen,” Carson wrote. “We also keep trying to solve all cybersecurity problems and we need to stop this immediately.”
Moving forward, Carson added, “We need to change the way we approach solving cybersecurity threats if we are going to be successful. Organizations need to first start with business risk, this is the most important transition any company can make today, the better they understand risk the better they can use cybersecurity best practices to reduce risk.”
This approach is why some of the numbers concerning security teams are skewed. For instance, 67 percent report that IT Security is viewed as reactive to business needs, as well as a cost to the organization instead of an asset. Another 26 percent report that their roles are defined as more of a security guard than an enabler of business. Finally, 17 percent report that the rest of the business views security as the team that says “no” to requests.
The result is that, while company leaders talk about (and worry about) security as each day brings a new breach, there’s a lack of funding for the security team. The report notes that about 40 percent of those surveyed view sales, HR, finance, customer service, R&D and marketing as of higher business importance, even though all those departments rely on security to operate safely.
However, all is not lost.
Instead of focusing on the day-to-day security needs, Carson recommends that CISOs and their InfoSec teams ask themselves: What does the enterprise need as part of long-term planning, and how much risk is the business willing to take?
“The CISO needs to make a positive cybersecurity impact and align both security and business goals, not only managing up to the board, but across the business if they are going to make a positive impact to the business with common goals,” Caron told Dice. “My recommendation is that, in the future, we probably need to move away from focusing on security. Instead, focus on business risk, with each department measuring business risk, then using cybersecurity skills and techniques to reduce the business risk to acceptable levels that the management and board agrees is satisfactory. In the business, we may even need to stop using the term cybersecurity and using business risk instead.”
Indeed, Dan Lohrmann, chief security officer at Security Mentor, a Monterey, Calif.-based provider of security awareness training, notes there are three concrete steps CISOs and security teams can take to increase trust, while making sure the company is practicing good cybersecurity hygiene.
The first step: Get personal. Take fellow employees out to lunch or coffee as a way to understand their needs. It’s all about the people and developing so-called “soft skills.”
The second: Get to know the strategic projects the company is working on, and get involved right away. Security shouldn’t be “bolted on” to projects, making already complex projects more difficult. Instead, make “security a business enabler from the business design phase through to implementation,” Lohrmann noted.
Finally: Build trust. If there’s no seat at the executive table now for the CISO, it’s time to create a role as a trusted advisor to the business and the projects and risks it takes on.
“Many people say, ‘Make sure you have a seat on the board,’ which is important, but what if you don’t have that seat right now?” Lohrmann added in an email. “When you do make presentations to the right decision-makers, offer multiple solutions to resolve pressing issues, and don’t just present more security problems and more bad news. Build a track record of consistent security metrics that earn trust, show success and deliver projects on-time and on-budget.”