Things are changing in information security, but probably not in the way you think. Do business leaders know what their Chief Information Security Officer (CISO) is thinking?
From TV-on-demand to Pad Thai-to-your-desk, you can now get almost anything, any time, with a few taps on a screen. Companies give us personalized recommendations for today and anticipate what we’ll want tomorrow.
While it can be hard to meet ever-increasing customer expectations, technology is on the business’s side. We can better target consumers, use data to make better decisions and deliver at low cost through digital channels. This growing number of technological windows to the world means business leaders must be cognizant of information security more than ever before.
How do business leaders make sure their IT security operations are safe in the present and fit for the future?
We asked over 300 Chief Information Security Officers (CISOs) from around the world how their role is changing. For detailed analysis, see our report Cybersecurity through the CISO’s eyes: Perspectives on a role. These are three of the headline findings.
1. Organization structures reflect cybersecurity’s importance
For evidence of the increasing importance of cybersecurity, look no further than organizational structure. IT and IT security are fast becoming separate departments in many businesses. Nearly a third (29 percent) of IT security leaders say not reporting to IT is the number one change in their role.
Most think it’s a change for the better. Separation from IT gives cybersecurity experts more independence and room for impartial judgment. However, the teams can’t be completely independent. Some security essentials will stay as IT’s responsibility, like patching, access control and configuring a secure infrastructure. The cybersecurity department also needs to know about all new IT initiatives to assess them in advance.
Most CISOs say they have a good relationship with IT. Where there is conflict, it tends to be around who has the final say on things like deciding patch management routines, the level of flexibility and access for remote workers, and shutting down computers and servers during a possible breach. IT sometimes sees cybersecurity as a bottleneck because security requirements make it harder to launch new IT projects and maximize system performance. As one head of IT security told us, there’s tension “between doing it securely, and just getting it done.”
What can we learn about organizational structure?
For a supportive working environment, choose a structure that suits your business. Consider the level of maturity, budgets for IT and IT security, and the size of the workforce in each. Don’t rush to set up IT security as its own department – you need to know they can cooperate first.
It helps to have one executive to whom the heads of IT and IT security report. It could be the CEO or Chief Risk Officer. This person must make sure both teams make necessary compromises.
2. Risk assessment needs insight, not just numbers
Business today must balance exploring new opportunities and minimizing risk, including cybersecurity risk.
Throughout their careers, IT security leaders have seen many measures for cybersecurity risk, such as threats blocked and issues patched. Metrics follow the ‘use numbers, not IT security jargon’ rule of communicating with business departments, but figures and charts alone don’t tell you everything you need to know.
What can we learn about good risk assessment?
To know which cybersecurity risks could affect your business and how likely they are, enrich the numbers with qualitative analysis.
Involve stakeholders like leaders of finance, sales and marketing in evaluating how identified threats affect the business. Their understanding of the main business objectives, such as to grow digital sales or start collecting more customer data, lets you set security priorities. Company leaders shouldn’t just ask CISOs to calculate cybersecurity risk, but to share their broader business insight.
3. Be realistic when hiring
Around two thirds (70 percent) of CISOs said people shortages were a problem for them.
Interestingly, some think it isn’t a shortage of talent making it hard to fill roles, but unrealistic expectations for new hires.
When a new hire must start adding value right away, the CISO is tasked with finding a ‘unicorn’ with a unique skill set, instead of developing internal talent. With all the different technologies and solutions nowadays, few have all the skills and background. Even an experienced specialist needs two to three months to learn the company’s policies, processes and nuances.
Enterprises are often reluctant to train people with less experience because they may leave for a better-paid job. But there’s no guarantee any skilled professional won’t be offered a more interesting job with a higher salary, whether you’re upskilling internally or hiring externally.
What can we learn about hiring?
Approve ‘backup’ vacancies in the information security department not related to urgent projects. Make sure newbies are mentored and given more than routine responsibilities like log reviewing. Give them the chance to learn something new and to grow professionally.
These headline findings distill the wisdom of over 300 CISOs worldwide. Our focus was on how things are changing, but in many ways, they brought us back to basics. Enterprise security depends not only on implemented solutions but on well-tuned internal processes. Success doesn’t wear a ‘one size fits all’ organization structure. It’s in good communication between departments and in finding the knowledge behind the numbers. It’s in hiring realistically and investing in the people you have today.
This article was published in February, 2020.