Most CEOs will tell you security is an important aspect of their business operations. But too often, what’s deemed important by management doesn’t always translate into real priorities. We’ve seen too many cybersecurity teams stretched thin on staffing, overworked, and improperly aligned with the rest of the organization. This leaves companies vulnerable to cybersecurity threats, huge losses, and bad PR.
Recently, CyberSN Founder and CEO Deidre Diamond spoke with Dan Blum, Cybersecurity Strategist and Author of the book, “Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment,” about this pervasive problem. Cybersecurity operations are complex, but the solution to better security is simple; companies must align business processes with cybersecurity operations.
Hear the discussion. Watch “Hire, Motivate, and Manage a Business-Aligned Cybersecurity Team.”
Blum, who has years of experience in the corporate security field at organizations like the Burton Group, Inc., and Gartner, defines cybersecurity-business alignment as:
“A state of agreement or cooperation between persons or organizations with a common security interest. It is enabled through security governance structures, processes, communication skills, and relationships that engage the business. When in a state of alignment, all business leaders, staff, and business-related processes act in accordance with clear roles and responsibilities to support the security program and strategy.”
In other words, alignment happens when cybersecurity is fully integrated into company operations, all employees understand the importance of security, and chief information security officers have input when important decisions are made. It also means funding cybersecurity teams and technology to allow them to do their job and do it well.
Unfortunately, many companies understaff their cybersecurity teams or silo them away from important projects and decision-making meetings. Management may understand that cybersecurity is a vital aspect of business but they are not clear on the investment required to do cybersecurity right. According to Blum, only 44% of boards of directors consider cybersecurity to be strategic. If more than half of directors say that cybersecurity is less important than other aspects of the business, then it will be nearly impossible for CISOs to get the resources they need.
“They may think they are funding it adequately but they are not giving it the attention required to make sure the work that’s being done is really fitting the business needs,” said Blum.
Corporate leaders want to run lean in hopes of maximizing profits, but as Diamond points out, the number one problem facing cybersecurity teams is the lack of budget to properly staff. The result is a cybersecurity team that feels stressed out, burned out, and has trouble disconnecting at the end of the work day. It also causes high turnover, putting more pressure on the team and more work on managers to fill an already hard-to-fill role.
This is especially troublesome in the CISO position. Most CISOs remain in the job less than three years. Considering how difficult these leaders are to replace and that it takes about six months for a new CISO to fully know a company’s security operations before even implementing a program, losing your CISO should be part of your risk prevention strategy.
After conducting more than 70 interviews of corporate security professionals, Blum learned that security breaches are often predictable when cybersecurity operations are not aligned. When a CISO is denied funding for security measures, it leaves companies vulnerable. Having a skeleton staff leaves the security operations in disarray. Poor integration into the rest of the company can lead to hundreds of millions of dollars in costs and ultimately the company’s top leaders stepping down.
“The biggest problem that companies have is a lack of a definition of security that fits their business,” said Blum. Management must define how security applies to their business strategy, their vertical industry, the culture, mission and mandate of business, as well as what oversight of that security means, said Blum. Security is part of how companies do business in a digital environment and should be treated as such.
Here are some steps companies can take to ensure a well-aligned security program:
Diamond emphasized how clearly defined cybersecurity roles is a major gap she’s seen in cybersecurity staffing. Roles that are poorly defined make it harder to recruit, but also make it more difficult to define accountability. These problems lead to dysfunctional teams and hinder retention. Companies also need to bake hiring and retention into the job description and responsibilities of managers, she said. Finding cybersecurity professionals takes work and time, as does investing in the relationship-building efforts and EQ training required for keeping those employees. Documenting it as part of the job shows that the company takes cyber staffing seriously.
How can teams make security as seamless as possible? It’s a question managers and executives should be asking regularly and work collaboratively throughout the organization to achieve. Enacting cybersecurity-business alignment can shed light on potential problems earlier in the process and open the door to new ideas and innovation.
“Through alignment you can release a lot of untapped potential,” said Blum. “Look for progress not perfection. Making some progress is really going to move the needle but it happens with the team. It’s a team sport.”
With more employees working from home than ever, companies must be vigilant to protect themselves from evolving cybersecurity threats. Your cybersecurity team has likely been hard at work maintaining privacy and safeguarding the enterprise, even as shifts in the workforce present new challenges. But as most cyber professionals know, a major hurdle in risk management is making sure the entire organization values security and is doing all it can to protect the company’s reputation and assets.
The key to communicating the importance of cybersecurity within a company is to use the established means of communication. Work with the point person for internal communications to emphasize the importance of cybersecurity awareness and encourage compliance through regular reminders. Determine together the best means to disseminate and consume this information company-wide, whether it’s through an e-newsletter each week or a special awareness campaign.
These regular cybersecurity updates should cover the company’s security practices, which can include:
All companies want to protect themselves from cybersecurity threats and data breaches. Communicating the importance of maintaining security practices will go a long way in creating a security-focused culture.
Phishing continues to be the top entry point of data breach and compromise. The Verizon 2019 Data Breach Investigations Report confirms phishing as the top threat and that cyber attacks are successfully executed with information stolen from employees who unwittingly give away their login and access credentials.
The ideal cybersecurity strategy uses tools and practices that aim to prevent attacks against all systems and people. Cyber solutions, including security products and the people behind them, can only take security so far and ultimately fail. Regardless of the budget a company spends on cybersecurity or the number of products it employs, the actions of a single person can impact the organization. Awareness campaigns arm people with the skills and, hopefully, the skepticism to avoid common cyber threats, supplementing the technical controls put in place by cyber teams.
Extensive working from home only adds to the problem. The environment is target rich for phishing opportunities. People are working in a more casual environment using unfamiliar tools. Emails and alerts prompting users to reset a password or click on a link about a COVID-19 update can fool even cautious employees during this time.
The most immediate step cyber teams can take is to revisit remote access security practices and make sure employees are aware of the increased threat from phishing scams due to the coronavirus outbreak.
Infosec and cybersecurity teams have been putting out fires and given additional responsibilities for weeks as companies rapidly shift to this new work environment. While cybersecurity professionals often thrive in high-pressure situations, weeks of long hours and growing stress levels can take its toll on morale.
Security managers should continue to advocate for their team; push for the funding you need to give them the right tools and full staffing levels. Check in with your staff to gauge stress levels and create ways to address burnout, whether that be more time off or more staff to spread out the workload.
Cybersecurity is one area of business that’s often a victim of its own success—when you’re doing your job well, no one knows you exist. This can also make advocating for more resources difficult. Cybersecurity attacks cost businesses large and small not only financially, but target their reputation and put them at risk of failing, according to the business strategy firm Accenture. Investment in cybersecurity now, even when budgets are shrinking, will pay off in the long run.
Information security departments can sometimes take security measures for granted. It’s easy to forget that employees may not use 2FA unless prompted to, or have been recycling the same three passwords for years. By using the internal communication systems to better educate employees of emerging threats, enhancing security practices to increase your cyber resilience, and taking care of your cyber staff to avoid burnout, you will better protect your company’s assets and help contribute to the long-term growth of the company.
In the era of the mega-breach, CEOs have increasingly been called on to account for the cyber readiness of their organizations. Ask any CEO and they’ll surely tell you that they consider cybersecurity to be of the utmost importance to their organization—in fact, one major survey of US CEOs this year had them rank cybersecurity as the number one external concern in 2019.
However, sometimes it seems a lot of that concern is still at the platitude and lip service stage.
Here’s a good example of how that kind of lip service plays out in a large organization. It’s a classic example of what longtime security pros would label as ‘security theater.’ The top levels of an organization publicly commit to building out stronger cybersecurity practices. As a sign of their good faith to regulatory auditors and shareholders, they green light the opening of dozens of new positions to fill out the cybersecurity team.
Sounds great on paper, right? Yes, with a big caveat. What wasn’t so publicly disclosed is that though the funds are opened up for salary and benefits, very little additional money is put into the recruiting or training elements of filling these slots. The security leaders are left out in the cold in an extremely competitive market to find scarce candidates. They’ve got to make do tapping into their own limited network of contacts and maybe leaning on a little internal help from HR, which rarely has valuable insights into the unique nature of the insular security world.
The result? Months and months go by and very few of those copious open positions are filled.
This is far from a hypothetical situation. We’ve seen it play out so many times, we’re almost willing to put on a tinfoil hat and posit a conspiracy theory that maybe CEOs just aren’t that serious about building security teams. They open the positions for show and then tell their CISOs that the positions need to be open a minimum of six months before they allow an outside agency to begin to work them. Unsurprisingly, almost one-in-three organizations today reports that it takes at least six months to fill their cybersecurity positions.
This is a particularly tough situation for new CISOs tasked to build out a team from scratch. Many of these people are sacrificial lambs being readied for slaughter in the event of a breach down the road. The leader is brought in and told they can hire a set amount of people and aren’t given the support to do so. They struggle to find candidates due to the extreme constraints of the market, and are turned down time and again by their executives for permission to use a specialized recruiter to help them out. Six months go by and no luck. A year goes by and they begin to feel really frustrated. A year-and-a-half passes and the writing is on the wall that they may never be able to build out a world-class team.
For security leaders jumping into a new position, we recommend that recruiting budget to use outside agencies is approved in writing before they start. When they’re brought on with the promise of building out a new team, try asking the organization to include details about recruiting support put directly into the offer letter. Make sure that the CEO and leadership are willing to put their money where their mouths are when it comes to the commitment to attracting first-rate security talent. Putting it in writing could save a lot of heartache and frustration in the long run. My very best advice: Do not go to work for a company that will not give you, in writing, the budget to use a staffing agency specializing in cybersecurity.
