bas121 - stock.adobe.com
Nearly two-thirds of respondents (63%) feel that their security teams are either viewed as the company naysayers, “doom mongers” or a “necessary evil” (36%), despite the fact that more companies are hiring CISOs and data protection officers in response to new risk frameworks in data protection regulations, such as the EU’s General Data Protection Regulation (GDPR).
Some 27% of respondents said company security and security professionals are just something that runs in the background that employees don’t really notice.
The research, which was conducted with 100 IT security decision makers within the UK, revealed that more than a third of respondents (38%) believe that they are viewed as the “policemen”, with 13% saying that they continually experience negativity towards their team and their work.
Almost three-quarters (74%) of security professionals reported negativity or indifference regarding the introduction of new security measures and policies, with employees believing it will hamper their work (35%) or barely paying any attention (39%).
Security professionals are also struggling to promote their value to other departments in the business, with 90% saying other departments could have a better understanding of what they are trying to achieve, while 88% feel that it could be easier to communicate their views to executive management in other functions such as human resources (HR) and finance.
Board lip service
Security professionals said boards perceive them as functional but not as a force for competitive advantage, with 56% saying they feel restricted by the board and only 41% reporting that their organisations have a CISO in place on the board.
Although the security team can be instrumental in business transformation, only 44% believe that the C-suite sees them as a positive force for innovation, and just one in 10 respondents (13%) believe that the board sees them as helping the company to gain a competitive advantage.
The findings suggest that boards may be paying lip service to IT security teams, as there is a disparity between what the board says and how this translates into investment.
While 87% of security professionals believe that the board listens to them and values their input, a considerable proportion (62%) believe that the board can’t always see the business case for security investments.
Joseph Carson, chief security scientist and advisory CISO at Thycotic, said that at a time when security teams are under huge pressure and play an increasingly strategic role within the company, it is disappointing that they are not feeling valued either by their co-workers or by senior executives.
“The fact that negative opinions are rife among employees also suggests that security teams need to work harder to communicate the strategic importance of their roles to the business and reinvent themselves as ‘facilitators’ rather than ‘enforcers’ who enable the business to run smoothly,” he said.
Align with business values
One of the reasons for commissioning the study, said Carson, was to find out what organisations could do differently to enable CISOs to contribute to the overall success of the business by understanding what is working and what is not.
“In light of the fact that many CISOs see their role evolving to focus more on risk, we believe organisations also need to shift their focus to reducing risk by using cyber security techniques, skills and knowledge, rather than seeking to address cyber security in general without any tie-in to the business,” said Carson.
“At the same time, security professionals need to focus on how they can make people and processes more efficient by implementing more secure processes and technologies to save time and cost and creating new opportunities, thereby contributing directly to the bottom line of the business,” he said.
With this approach, said Carson, boards will more easily understand and see the strategic value of what the security professionals are doing, because as long as they are asking for investments for technical solutions to technical problems, boards will continue to see them as a cost and a burden.
“IT security professionals need to look at the business goals of the company and then align their security project with achieving those goals, while at the same time addressing the risks across the various departments and improving security.”
While the findings of the study are not surprising, Carson said it is important that organisations and security professionals recognise and understand the issues that the study identifies so that companies can change their approach and avoid repeating the mistakes of the past.
“Traditionally, boards have prioritised sales, HR and customer services above IT security because they do not consider security as having any strategic value or they do not see cyber risk on the same level as other forms of business risk.
“One way to change this thinking is for security professionals to present cyber risk not in terms of technicalities, but in terms of return on investment and the financial cost of the risk, including the cost of not having insurance coverage in these areas because those are things that boards and all the departments within the business will understand,” he said.
In response to the finding that cyber security is widely viewed in a negative light, Carson said IT security professionals need to be more proactive in changing that perception by demonstrating how security can enable business. One way they can do this by making it possible for customers to access services from anywhere on any device in a secure way and by making employees more productive, for example.
“It is also important to highlight when the security team has done a good job because all too often the only time people in a business are aware of the IT security team is when things go wrong – or when they are being prevented from doing something due to compliance or other security requirements,” said Carson.
He believes it is important for IT security professionals to have a voice when everything is working well and not only when the business is worried about new security-related regulatory sanctions or cyber threats.
“What we are seeing is that boards are listening, but are not taking any action because they do not see it as important to the bottom line of the business, and as long as that is the case, we will continue down the path of nothing happening,” said Carson.