"Department of "No"? Not any more. Stephen Roostan at Kenna Security describes how security professionals are turning into local heroes, even in the eyes of their IT colleagues
In the past, cybersecurity professionals were often viewed as a necessary evil. Sequestered away in darkly lit rooms, these masters of the dark arts of information security were often viewed as tech nerds whose job it was to keep mythical dragons from the doors of the enterprise.
Typically referred to by colleagues as the ‘department of no’, because of the volume of requests they blocked due to perceived associated risks, more often than not they were seen as a hindrance to productivity by those without a security remit.
Fast forward to today, however, and it’s a very different story. According to research from ISC(2), 71% of professionals outside of the security community now view cybersecurity professionals as ‘smart, technically skilled individuals’ - and 9% go as far as to claim they think of cybersecurity professionals as ‘heroes’.
No longer perceived as the agents of doom or the naysayers who stand in the way of progress, they’ve become the good guys who work tirelessly to keep the organisation secure and safe from cyber threats.
Let’s take a look at just some of the factors that have contributed to what is a truly epic reputational turnaround.
The rise and rise of digitalisation
A decade ago, senior executives rarely paid a lot of attention to cyber security. But as digital transformation created ever more complex environments that potentially exposed the enterprise to risk, the security capabilities of the business quickly rose up the boardroom agenda.
With the pressure on to ensure that nothing stood in the way of business innovation, cyber risk management quickly became an operational priority. Especially when cyber criminals began to up their game, unleashing large scale exploits such as sophisticated DDoS, malware, and targeted ransomware attacks.
As stories of high profile breaches began to hit the headlines with monotonous regularity, no one could ignore the fact that information security had suddenly become an organisation-wide concern.
The digital response to COVID-19: changing to remote working
Overnight, the coronavirus pandemic changed the rules of business engagement for companies in every industry sector. Forced to pivot at speed and at scale, there was a rapid surge in demand for digital capabilities and services, as organisations transitioned to remote workforce models and focused primarily on serving customers through digital channels.
However, the wholescale move to remote digital operations meant organisations now faced a myriad of new risks and vulnerabilities. Suddenly, cybersecurity teams found themselves tasked with a new mission: supporting business continuity, while protecting the enterprise. No easy task when threat actors were quick to exploit the opportunities brought about by the explosion of the remote workforce and the rapid expansion of the attack surface of the enterprise.
Enabling productivity while securing what matters most to the organisation has now become a mission critical endeavour, as organisations reimagine architectures to enable remote digital working environments for the long term. Little wonder then that cybersecurity professionals have become the highly visible enablers of the future of work, whose activities are critical to maintaining productivity without compromising data security.
Unsurprisingly, all this has prompted a significant uptick in investment in new cybersecurity tools and solutions. Despite the damaging economic impact of the pandemic, the cloud security market alone is expected to grow by 33% in 2020.
Bridging the divide: closing the gap between security and IT
There is one other important factor that has significantly contributed to the rise of security professionals in the popularity stakes. Today’s modern risk-based vulnerability management (RBVM) platforms have made it much easier for cybersecurity professionals to prioritise and score the actual risk an individual vulnerability represents for the organisation’s assets and applications.
Not only does this significantly change the way that cybersecurity and IT professionals work together; it also paves the way towards better communication and collaboration between the two teams.
Over the years, IT teams have become accustomed to being handed a long list of ‘critical’ vulnerabilities by their cybersecurity colleagues. A practice that has generated much friction and a lot of frustration on both sides.
It wasn’t just the fact that the security teams were perceived as ‘pushing’ unwanted workloads onto IT teams, presenting them with spreadsheets containing large numbers of vulnerabilities they had to ‘fix’. All too often this led to disputes, especially when security thought one vulnerability should be prioritised, and IT believed another was more deserving of their attention and limited resources.
Fortunately, today’s RBVM solutions have made it much easier for everyone to work more closely together in harmony – and in a much more informed way.
Focusing on the right risk – at the right time
Today’s data science driven, automated VM platforms have made it much easier for security professionals to focus on the 2%-5% of vulnerabilities that actually pose the greatest risk to their specific enterprise, measuring risk across asset groups by function, geography, compliance requirements, or anything else that makes sense for their own environment and risk tolerance.
From there, remediation teams can easily identify which high risk vulnerabilities they need to address first. Armed with these ‘top fix lists’ that eliminate any need for guesswork, security and IT teams are at last able to align around a common goal; that of reducing risk in the most practical and efficient way possible.
As well as enabling everyone to understand what to fix, why they should fix it, and how to fix it, the most advanced RBVM solutions have also made it much easier for IT to access all the data they need, together with all the context they need to use it productively. All of which makes it possible to work together much more collaboratively to close security gaps. No wonder the security professional has made the move from ‘zero to hero’ in the eyes of their IT colleagues.
The past year has served to accelerate the rising popularity of cybersecurity professionals. Now held in high regard by both ordinary employees and senior business leaders, their role has gained widespread recognition as being crucial to the health and future of the organisation.
But it’s perhaps the reset in human relationships, made possible by the introduction of today’s innovative risk-based vulnerability management systems, that’s generated the most productive benefit of all. Making it possible for security and IT teams to work together in a much more effective way to cut down exposure across the enterprise.
Stephen Roostan is VP EMEA, Kenna Security
Main image courtesy of iStockPhoto.com