Enterprise Cybersecurity: Three Topics to Discuss With Your CISO
As a consumer, I appreciate that many products and services have become so intuitive that companies can seemingly foresee our needs and offer future recommendations based on our preferences and prior behaviors. However, as an executive at a tech company, I also have a deep understanding of how challenging this can be for businesses to fulfill the ever-changing needs of customers.
Despite this challenge, it is exciting to be on the cutting edge of how technology makes this possible by allowing enterprises to make decisions based on data analysis, automate manufacturing and better target and deliver to customers through digital channels. With this growing range of automation and digitalization in place, information security now plays an important role in the overall organization strategy, and business leaders need to consider security concerns more closely than ever.
With this in mind, I’ve spoken to IT security leaders from enterprises around the world to learn what their concerns are and how their companies can overcome these roadblocks.
Security and IT – Cooperation or Chain of Command?
The increasing importance of cybersecurity is becoming clearly reflected in organizational structures as companies tend to have IT and IT security as two separate departments. Twenty-nine percent of Chief Information Security Officers (CISOs) say that not reporting to IT is the number one change in their role and 39 percent ranked it the second most important, according to a recent survey of IT security leaders.
Most security heads believe that this is a change for the better as being separated from IT gives cybersecurity experts more independence for impartial judgement. However, this doesn’t mean that the teams can work completely independent from one another. For example, some security essentials like patching, access control and secure infrastructure configuration remains the responsibility of IT. Additionally, if the two departments do not communicate well, the cybersecurity department may not be informed of new IT initiatives and cannot asses them in advance to ensure they are protected.
The majority of CISOs consider their relations with IT as positive, but confirm that there can be conflicts. Some feel that it can be difficult to determine who has the final say on important matters such as deciding on patch management routines, the level of flexibility and access to the systems for remote workforce or shutting down computers and servers during a possible breach. Since cybersecurity is still viewed as a bottle neck, security requirements can make it difficult to launch new IT projects or maximize performance of the information systems.
To create a well-balanced work environment, businesses should decide on the right structure for them, taking into account the level of maturity, budgets for IT and IT security and the size of the workforce in each department. In some cases, it may not be worth separating the IT department until you are confident the two departments could work well together. Additionally, it would be worth considering having an executive in place who can take charge of making sure both teams make the necessary compromises.
Is It Enough to Count Blocked Attacks?
It is becoming increasingly important that business find a balance between exploring new opportunities and minimizing risks, including those related to cybersecurity. To achieve this, mature enterprises must incorporate risk assessment and management.
Throughout their career, IT security leaders will see a variety of metrics to measure the state of exposure to cybersecurity risks. This includes the number of incidents an enterprise experienced over a certain period, the amount of threats blocked by prevention solutions, the number of completed cybersecurity projects or implemented solutions, how many issues were patched and even the amount of money allocated to cybersecurity. However, implementing measurable metrics doesn’t necessarily mean one is assessing cybersecurity risks.
While it is a typical business approach to speak using numbers versus industry jargon, figures and charts, when used as the only metric, do not tell you everything about the actual state of security. The quantitative data should be enriched with qualitative analysis to determine what cybersecurity risks can affect IT assets and how likely these situations are.
Cybersecurity risk management is a challenging task, but proves its worth as it allows companies to prepare for the most likely and significant risks for business. Risk assessment is key to establishing accurate plans for further steps on how to mitigate risk and respond. To achieve this, company leaders need to ask CISOs to calculate cybersecurity risks and also to participate in the process to bring their broader business expertise and insights to the discussion.
Is It a Lack of Security Talent or Lack of Education?
The shortage of qualified cybersecurity personnel is seen as an ongoing problem in the industry, and 70 percent of respondents of the aforementioned survey of CISOs confirm this. With this is mind, we spoke with several CISOs to learn what they think about the lack of talent in the industry.
Interestingly, some of the respondents think that the issue is not finding the right candidate, but high expectations of a new employee. CISOs confirmed that business leaders require immediate effect from a new hire, so they have to look for highly qualified candidates with unique skillsets instead of developing such talent internally. Unfortunately, this greatly narrows the pool of candidates as there are many different technologies and solutions on the market making it difficult to find a person who has all the necessary skills and experience.
Another reason why enterprises are reluctant to educate new hires with less experience is concerns that they would invest in people who receive elevated training and then leave for a better paying job. However, given that such security specialists are rare, there is no guarantee that a skilled professional will not receive a job offer with more interesting tasks or higher salary.
To solve the issue with this shortage of talents, it is important for businesses to approve “backup” vacancies in the information security department that are not related to urgent projects. It is also important that the new hires will be mentored and given not only routine responsibilities like log reviewing or first-line alert monitoring, but also the chance to learn something new and grow professionally.
It is becoming clear that enterprise security depends not only on implemented solutions, but also on how well-tuned internal processes are in terms of communication between departments, hiring, training of personnel and budgeting. I recommend business leaders pay attention to these pertinent areas and discuss them with their respective CISOs before challenges arise in order to make the best decisions for their organization.