Businesses wanting to improve their security practice need to reconsider the way they position cybersecurity within their business philosophy, a security analyst has told an audience of security practitioners while warning that the persistence of “terrifying” images of cybersecurity practitioners had challenged the progression of cybersecurity into becoming a mainstream business concern.
Boards and senior executives had become more aware of cybersecurity as a risk, Forrester Research principal analyst Jinan Budge told the audience at the Cisco Live! Cybersecurity Innovation Day, “but that isn’t necessarily matched to understanding.”
Cybersecurity needed to extend to business users from the senior executive all the way down the corporate hierarchy, Budge said, and that included proactive efforts to counter the “philosophy of locks and keys and hoodies that we have managed to label ourselves with. For people in business who don’t know anything about security, that must be terrifying.”
That attitude had far-reaching implications even in terms of the funding and recruitment strategies that companies have – often unsuccessfully – used to build their cybersecurity cultures.
Given the expanding cybersecurity skills gap, companies needed to be investing in cybersecurity tools and strategies at a level that will demonstrate a broad commitment that extends far beyond buying a security framework and ticking the boxes.
“To be able to attract and retain us it needs momentum, excitement, energy, and cool tools,” Budge said, “so unless you are investing in security this is going to be difficult.”
This included “investing In humour” as well as investing in “the know part”; and embedding behaviours using techniques like design thinking, behavioural science, and gamification.
“It is the combination of all these things that is creating an empowered security culture, she said, “because ultimately that is what we all need.”
To make security more accessible from a business perspective, she said, businesses needed to pursue a risk-aligned strategy that is stakeholder focused and includes a quick technology roadmap with clear initiatives and a clear timeline.
Continual reinforcement can change attitudes over time, she said, noting the rapid evolution of cloud services and their acceptance within business within recent years.
Just years ago, she recalled, many executives said “hand on heart I will never allow cloud in my organisation. A few years later, the conversation has had to evolve.”
Conversations between CISOs and boards were also evolving as security experts were increasingly being called upon to comment in areas such as geopolitics, law, cyber warfare, and more – all outside the traditional network-focused scope of cybersecurity.
This sort of broader engagement was crucial to overcoming lingering perception issues: 18 percent of CISOs, she noted, still said their board members consider security practitioners to be a “nuisance”.
“Organisations are still investing in network and content security versus considering cloud security, mobile, and Internet of Things security,” she said. ”They don’t have the time to lift their heads up and understand what their risk profile is.”
Changing this perception – and implementing strategies for addressing it – would inevitably pit cybersecurity against “sexy” technologies in terms of fighting for executive mindshare.
“Whilst not as sexy as things like artificial intelligence or machine learning, things like patching are important,” Budge said. “We just have to work out how to do this. We can’t just focus on the strategic, on the forward looking. Once we do that we just start to lose.”