And apparently he is not alone. New research commissioned by Thycotic, shows that the majority of UK IT security professionals feel that they’re suffering from an image problem amongst fellow workers. The report highlights the challenges CISOs currently face and gives some tips as to what can be done differently and how.
The research, conducted with 100 UK IT security decision makers, found that:
Nearly two thirds of respondents (63%) feel that their security teams are viewed as the company naysayers
More than a third of respondents (38%) believe that they’re viewed as the ‘policemen.’
Over half (56%) feel that they’re restricted by the board
Commenting on the findings, Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic notes, “At a time when security teams are under huge pressure and play an increasingly strategic role within the company, it’s disappointing that they’re not feeling valued either by their co-workers or by senior executives.”
Communicating with the board - it’s all tech to me
Joseph explains that the issue is that executive teams tell security personnel to solve the cyber security problem. “But that is an impossible ask to anyone. Any organisation that tries to solve cyber security is never going to be successful; you cannot solve it,” he states.
“The board does not care about security, they don’t care about solutions or technology. What they really care about is return on investment,” he explains.
The problem lies in communication. Information needs to be presented in a way that the board understands; in business language without being overly technical, he advises.
‘Facilitators’ rather than ‘enforcers’
The study found that security professionals are also struggling to promote their value to other departments in the business. 90% believe that other departments could have a better understanding of what they’re trying to achieve, whilst an equally high majority (88%) feel that it could be easier to communicate their views to executive management in other functions such as HR and Finance.
Unfortunately, some employees view the CISO as making their job more difficult and preventing them from doing their work. “There’s a need for IT professionals to communicate their strategic importance and how they must reinvent themselves as ‘facilitators’ rather than ‘enforcers’ who enable the business to run smoothly,” Joseph explains.
Furthermore, Joseph thinks that each team in the organisation must get better at reporting risk so the CISO can effectively put the right measures in place to reduce the risk.
Win some, lose some
In an industry that’s plagued with horror stories, Joseph also suggests that security leaders should be talking more about their successes and the wins that they make in an effort to boost their image and receive more support and backing from the board.
He also considers communication skills training for CISOs to be a well-spent investment.