IT security professionals play a vital role in keeping businesses safe from serious security incidents. Whether they’re actively defending against targeted cyberattacks or implementing technology and policies to mitigate costly mistakes, the work of the security team can often be all that stands in the way of a major breach with a multi-million-pound price tag, writes Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic.
Despite the fact that strong cybersecurity is now increasingly essential for business success however, many security professionals themselves all-too-often feel underappreciated and overlooked, with security efforts being seen as a frustrating barrier by both colleagues and the board. Aside from the obvious impact on morale and working relationships, this image problem can also reduce the team’s effectiveness and increase the chances of a security incident.
Naysayers and Policemen?
To get to the heart of security’s image problem, Thycotic asked UK-based IT security decision makers about how the security department was seen within the company. Nearly two thirds of respondents (63 percent) stated that their security teams are either viewed as the company naysayers – specifically either ‘doom mongers’ or a ‘necessary evil’. Many believed they were viewed as the company’s ‘policemen’, and 13 percent even stated that their team experienced negativity from colleagues on a regular basis.
The less-than-flattering image of security practitioners may stem from the fact that most workers will only encounter their security team in negative circumstances.
Most communications from the team will focus on security warnings and uncompromising instructions about new policies and why they must be followed. In other cases, employees may have found themselves in their security team’s sights because their activity has led to a security risk.
Alongside being cast as unpopular authoritarians, security professionals were also likely to feel ignored and unappreciated by their colleagues. 27 percent of respondents to Thycotic’s survey said they believed company professionals are just seen as something that runs in the background and is largely unnoticed.
These image and relationship issues can have serious implications for the company’s security capabilities. Workers who hold the security team in poor regard will be much less likely to respect their authority and take their requests and guidance seriously.
The majority of security professionals responding to Thycotic’s survey said that new security measures and policies were met with indifference or negativity. When security is seen as an annoyance or a barrier, employees will be more likely to disregard important security policies or find a way around them, leading to gaps that could be exploited by cyber criminals. For example, personnel may download and share sensitive files in insecure ways and increase the chances of it being leaked or stolen, or they could expose the company servers to malware by ignoring sage internet guidelines.
Cybersecurity’s image problem can largely be traced back to a lack of understanding and communication at all levels of the company. Despite the increased exposure of recent years, security is still seen by many as a complex field full of unfathomable technical jargon. Combined with the tendency to focus on risks and threats, it’s easy to see why laymen will fall into regarding cybersecurity as something hostile and best given a wide berth.
The key to overcoming this lack of communication is to start at the top. Security teams will find it extremely difficult to get the majority of personnel on side if the senior management have not bought into the importance of security. Encouragingly, Thycotic’s survey found that the vast majority of security professionals believe their boards listen to them and consider their input, though many still had difficulty convincing them of the business case for security investments.
CISOs are perhaps the most important individuals in bridging this gap and establishing a good dialogue with the board of executives. They can act as a Rosetta Stone, translating security issues from jargon-laden technical talk and into familiar and business-centric language. Accordingly, among their various other skills it is vital for a CISO to be a strong communicator. A business-first approach is essential, and by focusing on the company’s objectives and backing up their points with evidence, CISOs can help the board to understand how cybersecurity impacts the company’s bottom line and ability to innovate and grow. This includes related fields such as compliance and regulatory demands around security and data privacy. Taking a business first approach will reposition security away from being a negative expense and towards being a positive enabler.
Spreading the Word
Influence at this strategic level will make it much easier for the CISO to reach the rest of the organisation and improve the general understanding and attitudes to security. For example, they can launch awareness campaigns to help demystify security issues. A good CISO will be able to play a major role in improving security’s “brand” and establishing a security-centric work culture.
Keeping employees informed about security issues – for example why policies have been implemented and why following them is good for the business and the employees themselves – will make a tremendous difference in establishing security as a positive experience. By making it clear security can be a dialogue rather than a diatribe, the security team can be seen as a valuable supportive agent that helps fixes problems, rather than throwing up barriers.