This post was originally published here by (ISC)² Management.
Stop us if you heard this one before: Cybersecurity professionals are responsible for protecting their organization’s users and data from the dangers of cyber threats, but they feel underappreciated.
Two-thirds (67%) believe “IT security is viewed either as merely reactive to business needs or a cost rather than an asset to the organization,” says a survey of cybersecurity professionals and CISOs by Thycotic, a privileged access management (PAM) vendor. The survey found that a majority of cybersecurity professionals in the United Kingdom and Germany say executives and co-workers see them as more of a burden than a business benefit – a notion that restricts them in their work.
“Traditional attitudes about cybersecurity appear to remain entrenched, with boards seeing IT security as reactive vs. proactive, a cost rather than an asset, a policeman rather than an enabler, and a team that says ‘No’ rather than ‘How,’” Thycotic says in a report of the survey’s findings.
This perception has deleterious effects by restricting IT security, according to 60% of respondents. It places a burden on CISOs and cybersecurity professionals to “manage up” by defining their roles to company leadership along the lines of business risk management. And this requires doing a better job of explaining the impact of cybersecurity on the business in terms business leaders understand, the report argues.
This helps explain why only half of companies give their CISOs a seat on their executive boards. Even more troubling, 36% don’t even view the CISO as a key member of the corporate management team. The existence of a CISO, especially one that reports up to the CEO or Board of Directors, is key to a strong cybersecurity culture. (In fairness, a strong majority of respondents to the Thycotic study (88%) agreed that executives listen to CISOs and value their input.
The Thycotic study encourages CISOs and cybersecurity leaders to “promote the positive effects and value of cybersecurity to every employee, citing examples and reinforcing the rewards of cyber hygiene at every opportunity.” CISOs, the report argues, must be a force for change and, as such, get their leadership teams to see cybersecurity professionals as business enablers, not merely enforcers.
Easier said than done? Our own research shows us how. Watch the video on Building a Resilient Cybersecurity Culture.
How about you? Have you had success changing perceptions of security in your organization?
Photo:The Great Courses