As a consumer, I enjoy the fact that many services are now available for us to use at any time – as everything we need, from ordering food deliveries to legal consultations, takes just a few taps on an app. It’s now become so convenient that companies can even foresee our needs and offer recommendations or the next-best-action.
However, being an executive at a tech company, I can also see how challenging it can be for businesses to fulfill these high customer requirements and make sure you have relevant and personalised offerings available when needed.
Therefore, it’s exciting to notice how technologies make this possible – they allow enterprises to make the right decisions based on data analysis, automate manufacturing, better targeting and delivery to customers through digital channels. With this growing range of automation and digitalisation, information security now plays an important part in the overall organisation strategy — and business leaders need to listen to security more closely.
We’ve spoken to IT security leaders from enterprises around the world to learn what concerns them and how their companies can overcome these roadblocks.
Security and IT – cooperation or chain of command?
The increasing importance of cybersecurity is clearly reflected in organisational structure. Companies tend to have IT and IT security as two separate departments: 29% of Chief Information Security Officers (CISOs) say that not reporting to IT is the number one change in their role and 39% ranked it the second most important, according to a recent Survey of IT security leaders conducted by 451 Research.
Most security heads believe that this is a change for the better: being separated from IT gives cybersecurity experts more independence and room for impartial judgement. However, this doesn’t mean that the teams can work completely independently. For example, some security essentials like patching, access control, and secure infrastructure configuration remain the responsibility of IT. Besides this, the cybersecurity department may be not informed of new IT initiatives and cannot asses them in advance.
The majority of CISOs assess their relations with IT as positive but confirm that there are some conflicts. Some describe it as “grabbing land”, meaning that it can be hard to determine who has the final say on specific matters such as, deciding on patch management routines, the level of flexibility and access to the systems for remote workforce, or shutting down computers and servers during a possible breach.
Cybersecurity is still viewed as a bottle neck, as security requirements can make it difficult to launch new IT projects or maximise performance of the information systems. As one head of IT security told us, there is “contention between doing it securely and just getting it done.”
To not create a toxic working environment, businesses should decide on the right structure for them, taking into account the level of maturity, budgets for IT and IT security, and the size of the workforce in each department. In some cases, it may not be worth it to rush in setting up IT security as a separate department, until you know that they can cooperate.
Also, it could be helpful to have an executive, whom heads of IT and IT security will report to – this can be the CEO or Chief Risk Officer, who will be in charge of making sure both teams make the necessary compromises.
Is it enough to count blocked attacks?
Business today needs to come to a balance between exploring new opportunities and minimising risks, including those related to cybersecurity. To achieve this, mature enterprises involve risk assessment and management.
Through their career, IT Security leaders have seen a variety of metrics to measure the state of exposure to cybersecurity risks, such as the number of incidents an enterprise experienced over a certain period, the number of threats blocked by prevention solutions, number of completed cybersecurity projects or implemented solutions, number of patched issues and even the amount of money allocated to cybersecurity. However, implementing measurable metrics doesn’t mean assessing cybersecurity risks. “Focusing solely on quantitative information doesn’t provide a clear picture of cybersecurity risks” is a typical opinion.
It may seem that formally all these approaches comply with the common rule of communication between cybersecurity and business departments – to speak using numbers, not IT security slang. However, figures and charts, when used as the only metric, do not tell you everything about the actual state of security. The quantitative data should be enriched with qualitative analysis to determine what cybersecurity risks can affect IT assets and how likely these situations are.
Besides, it is essential that all the identified threats are evaluated in terms of how they affect the business. And that’s where input from stakeholders (basically, leaders of finance, sales, development, marketing etc.) is required. They can determine the main business objectives: for example, to grow the share of digital sales or start collecting more customer data for analysis.
This information allows for the setting of priorities for security as there’s no such thing as being 100% risk-free everywhere. Based on the input from the business, IT security may choose to prioritise DDoS protection, for example, or strengthen its data protection mechanisms.
Cybersecurity risk management is a challenging task, but it pays off: it allows a company to prepare for the most likely and significant risks for business. Risk assessment is key to establish accurate plans for further steps on how to mitigate and respond. To achieve this, company leaders need not only to ask CISOs to somehow calculate cybersecurity risks, but also to participate in the process and bring their broader business expertise and insights to the discussion.
Is it a lack of security talent or lack of education?
The shortage of personnel is seen as an ever-green problem in cybersecurity, and 70% of respondents of the aforementioned survey of CISOs confirm this. So, we talked with some of these CISOs to learn what they think about lack of talent in the industry.
Interestingly, some of the respondents think that the issue is not finding the right candidate, but high expectations of a new employee. CISOs confirmed that business leaders require immediate effect from a new hire, so they have to look for a “unicorn” with unique skillsets, instead of developing such talent internally.
Unfortunately, this greatly narrows the pool of candidates – there are lots of different technologies and solutions now, making it hard to find a person who has all the necessary skills and background. Besides, even this experienced specialist still needs about 2-3 months for onboarding and learning the nuances of this particular company, its policies and processes.
Another reason why enterprises are reluctant to educate people with less experience is concerns that they would invest in people who get trained and upskill and then leave for a better-paid job. However, given that such security specialists are rare, there is no guarantee that a skilled professional will not receive a job offer with more interesting tasks or higher salary.
To solve the issue with this shortage of talents, it is important for businesses to approve “backup” vacancies in the information security department, that are not related to urgent projects. It’s important that the newbies will be mentored and given not only routine responsibilities like log reviewing or first-line alert monitoring, but also the chance to learn something new and grow professionally.
Alexander Moiseev, Chief Business Officer at Kaspersky
Write to us email@example.com