May 13, 2019 | Guest article by Joseph Carson, Chief Information Security Scientist, Thycotic
Chief Information Security Officers (CISOs) shoulder tremendous responsibility. They’re ultimately responsible for their company’s cyber security posture. At the same time, the security decisions they make also impact core business metrics such as productivity, cost savings, revenue growth, and brand perception.
The world of today’s CISOs is a balancing act. On one hand, they are “enforcers” of cyber security rules and regulations. On the other, they must be “enablers,” working to build a cyber security culture that contributes to business objectives. It’s not enough for CISOs to have strong technical skills. In this pivotal role, they must also become strong internal leaders.
To better understand the challenges facing today’s CISOs, Thycotic surveyed IT security leaders at 200 organisations in the UK and Germany. With the recent passage of EU GDPR, companies in the EU face stringent cyber security requirements and customers are highly aware and concerned about data protections. Understanding how CISOs in the UK and Germany are perceived provides a benchmark we can use to gauge the issues facing all CISOs, regardless of industry or geography.
The results of the Thycotic survey reveal lessons for all security leaders who want to achieve greater impact.
According to The CISO Challenge: Aligning Business Enablement with Enforcement, perceptions make a CISO’s job even harder.
CISOs must “manage up” to executive leadership and boards of directors, most of whom don’t understand the nuances of information security. And, they also must “manage down” and “manage across” to the rest of the organisation by providing IT solutions that create a positive experience for users and empower them to maintain security while doing their jobs.
If they’re lucky, CISOs may be invited to present to the board, but they’re not always considered a true member of the leadership team. Only half of the organisations surveyed in Thycotic’s report have a CISO position on their executive boards. CISOs and security teams have to work to gain the ear of business decision-makers, and it’s often not easy.
Most executives aren’t technical experts and don’t have a cyber security background. They may have misconceptions about cyber security that impede their ability to understand what it takes to protect an organisation in today’s environment. They may also feel intimidated by the intricacies of cyber security requirements or industry jargon, and avoid engaging with the details.
CISOs report that their company leaders often don’t view information security as a strategic business enabler. Rather, they see the role of the security team as “keeping the lights on and systems running.” They consider the security function as a cost center that is a necessary requirement of running a business.
In fact, decisions CISOs make enable a business to grow. Security can be a competitive differentiator that helps a company build trust with customers and stand out among other vendors. For example, a well-communicated cyber security strategy can accelerate sales with security-conscious customers. And, building security into a development process can get products to market faster and drive revenue. In order to raise their visibility and influence at the highest levels, CISOs need to clarify and communicate their business impact.
Managing down and across
As the Thycotic report points out, most people aren’t measured on how secure they are, but on how well they get their job done. Therefore, when security tools and policies are implemented without consideration for employee needs, they can cause friction and negative feelings. For example, security teams may decide that certain applications or actions are off-limits to employees based on potential risk factors, but people may count on those very things to do their jobs.
Faced with policies that are too restrictive or solutions that are too difficult to use, employees may turn to “shadow IT” or find creative ways to skirt the rules—essentially defeating the purpose of a security policy designed to keep them safe.
It’s no wonder that, according to the survey, security leaders believe two out of three employees have had a negative experience with cyber security, or simply don’t care.
How can CISOs change negative perceptions?
1. Ask, “how can we make this work?”
Like it or not, new business requirements are driving changes for the security team. For example, the Internet of Things has ushered in new ways of sharing data that must be kept secure. Similarly, the DevOps trend has radically altered the pace for software development. If security teams don’t get on board the fast-moving train, they’ll be left behind.
Don’t be a policeman whose first instinct is to say “no.” Remove friction and bottlenecks wherever possible. Seek cyber solutions that prioritise work productivity as well as security. Make sure security tools are easy for other teams to use.
2. Share decision-making power
You don’t need to share all the details of how a cyber solution works, but you can share the reasoning behind the decisions you make, how success is measured, and how it helps with productivity.
When selecting cyber security solutions or implementing security policies, consider how your decisions impact the productivity of other teams. Proactively include other teams into the vendor selection process, particularly systems administrators, Helpdesk teams, and developers.
For example, let’s say you want to implement a least privilege policy. Consider the downstream impact on other teams and make sure you incorporate an application control solution to improve productivity and address their needs.
3. Speak the language of the business
To communicate effectively with executives and employees, you need a common vocabulary.
In your information security presentations to the board of directors, describe the importance of cyber security and explain the measures your IT team has taken to increase work productivity. Don’t simply speak in terms of operational goals (number of applications tested, number of tools deployed, etc.) Instead, focus your reports on information security metrics for executives. Measure impact on business goals, such as time saved, cost saved, and issues prevented. Make sure reports are clear, consistent, and easy for someone without a security background to understand.
4. Improve everyone’s cyber security awareness – empower your employees
As part of cyber security governance, continually reinforce the fact that cyber security is a shared responsibility for everyone in your organisation. Rank-and-file employees are increasingly the target of cyber-attacks, particularly as social engineering threats become more personalised. Employees must learn to recognise phishing attempts and understand the importance of cyber strategies that prevent malware and ransomware from stealing credentials and passwords to gain entrance to your organisation’s network.
Provide people with training tools and resources, such as workshops, videos, and guides such as Cybersecurity for Dummies. Perhaps hold a special board of directors training. The more people throughout your organisation understand the importance of cyber security, the more support you will gain.
Do these challenges sound familiar?
Get your copy of The CISO Challenge: Aligning Business Enablement with Enforcement, and see how your organisation compares.
- - - - - - - - - - - -
Thycotic empowers more than 10,000 organisations world-wide to protect their privileged accounts. They make enterprise-level privilege management accessible for everyone by eliminating dependency on complex security tools and prioritising productivity, flexibility and control. They pride themselves on their ability to provide you with an affordable and easy-to-use, yet powerful Privilege Access Management solution to help you protect what matters most!