New research published today suggests that the modern CISO considers their job to be an increasingly thankless one. The research by Bromium is based on a survey of 500 CISOs from large enterprises in the US (200), UK (200) and Germany (100), and is part of a wider report on the role of the end user in cybersecurity.
Fraser Kyne, Bromium’s EMEA CTO said the research revealed most security teams utilise a ‘prohibition approach’ – i.e. restricting user access to websites and applications – a tactic which is hampering productivity and innovation while creating major frustration for users.
"We have been speaking about it for a while. The key is to finding out how to strike a balance, this is because the real necessity of the role is to protect the operation.
"This has been a perennial problem in the IT department. The security department is also known as the 'say no' department. Modern CISOs realise that if they amend their approach and they will be seen as enablers rather than road blocks. The great thing about the internet is that gives you access to everything; bad thing is that it gives everyone access to you.
"We need to realise that separate divisions within businesses carry out separate tasks. for example, HR needs access to LinkedIn and Facebook while marketing needs to use Twitter. So the job of protecting the brand integrity as well as customer information lies squarely with the CISO.
74% of CISOs said users have expressed frustration that security is preventing them from doing their job
So when we asked why CISOs don't just change processes that increases friction with users, Kyne said: "They [CISOs] can change it but responsibility is shared and if someone makes a decision, the accountability tends to go to that one person. Saying that to the Board is not that great because risk is easy to manage until bad things happen. A greater balance needs to be struck between taking these decisions and reducing the number of processes in place. Over-zealous security tools that are in place to protect the business can often be a major road-block.
"With the example of how the human resources department of a company works, they need to research candidates using social media channels like LinkedIn, Facebook, Pinterest and Instagram. This is to run basic background searches and so for them to get access to these mediums is a logical request. However, if you see it from a security angle, these are dangerous sources of information because the CISO cannot control what they see and download. So, they block Facebook and LinkedIn so they can run a secure operation.
"Users, usually, have a cavalier attitude about security, but the CISO has to argue the business case. By allowing access, a potential risk area to the business is opened up and exposed. Balance doesn't have to mean compromise. it has to be struck with less compromise, while protecting business operations.
The research further states that 77% of CISOs said they feel stuck in a Catch-22 between enabling innovation while keeping the enterprise safe; given the other statistics, we were surprised the number wasn't higher!
"It is not higher because it is down to situational conditions within the organisations. The job of a CISO is all about balance. It depends from individual if they are or not empowered by their organisations to take decisions. If they have the go-ahead to take a strong decision, they will be able to reduce friction. If we had asked if they thought the balanced was right, it would have been interesting to see what the answers would have been...
'This number basically means that 30 percent of CISOs in the survey have the empowerment to do as they want!
The survey threw up another interesting statistic suggesting that 71% of CISOs say that they are being made to feel like the bad guys, because they have to say ‘no’ to users
To this Kyne says: "As a parent, I am the bad guy. I know it is for my childrens' benefit. So with my CISO hat on, I have to do things and make decisions that are the right thing to do for the business; for the protection of the operation and also so employees understand risks. However, with my user hat on, I want to use complete internet with full impunity. So the CISO is between a rock and a hard place.
The key for organisations is for employees to be able to use the internet without risk. Unless we can do that, the job of a CISO will continue to be a difficult one.