Slowly but surely, organizations are starting to view information security as a business problem, not an IT problem, and as everybody’s responsibility.
“The CISO role is evolving to be less technical and more business-centric and, in many organizations, the CISO no longer reports to the CIO or CTO, but rather to the CEO or Board of Directors. As a result, many more business decisions are made with security [and privacy] in mind,” says Naomi Buckwalter, Director of Information Security & Privacy, Energage.
The fight is far from over, though, as there are still many organizations stuck in the old mindset. Cybersecurity leaders in those have to do a better job in aligning their teams’ missions with those of the business, she opined.
Building trusted relationships
“Our job as security leaders is to ensure that security is viewed as a service for the business, guiding our organizations towards its mission while minimizing security risk,” she noted.
“There are many benefits to this way of thinking. The first is quite obvious – if your security team and business’s missions are aligned, then making mission-critical decisions is quite straight-forward. Your security decisions are always made with the business’s best interest in mind. You’ll also never burn out because your decisions are never made in a vacuum; other leaders within the organization work with you to make those decisions.”
The best cybersecurity leaders are those that have trusted relationships with business leaders, who in turn act as advocates for security at that company. And newly appointed security leaders should start building those relationships as soon as they enter the role.
When Buckwalter assumed her current role, she had yet another handicap to overcome: being the first full-time security hire at Energage.
“Being the first person in any role is difficult, and I’d argue that’s especially true in cybersecurity leadership roles,” she said. Luckily for her, her first employer – mutual fund giant Vanguard – gave her many learning opportunities and formal training in IT and security.
“I ‘grew up’ in my security career within an established and mature IT security framework; I was basically a cog in a well-oiled machine. But, after almost 13 years there, I decided that the only way I’d truly grow as a cybersecurity professional was to leave the proverbial ‘nest’ and try flying on my own,” she told Help Net Security.
“It’s been over five years now, and through all my successes and failures, I can confidently say that I’ve learned a lot about myself, cybersecurity, and people in general. my greatest lessons, without a doubt, have been the many moments that taught me humility, self-discipline, and empathy. Some of those lessons were learned the hard way – I’ve definitely eaten my share of humble pie. And I’m still learning every day.”
Filling a security team
Appropriately staffed cybersecurity teams are more confident in their ability to respond to cyber threats, a recent ISACA survey has confirmed, but most organizations are struggling to find skilled and experienced security staff.
The need for capable professionals is so pressing that CISOs might end up getting involved in daily operations when they should be focusing on high-level strategy.
There are various proposals and initiatives to funnel (and keep) more capable people in the infosec industry. Buckwalter says that it always astounds her how few junior-level roles exist in cybersecurity.
“After all, there is plenty of junior-level security work to go around. Asset management cleanup, PII discovery, procedure documentation, filling out security questionnaires, scrubbing out false positives from alerting systems – I could fill out a dozen job specs with the things I wish I had more help with,” she pointed out.
“If more junior cybersecurity professionals had these opportunities, we’d have legions of experienced and battle-hardened senior cybersecurity professionals within a short amount of time. We just have to make that leap of faith and give new folks the right opportunities. You know, someone took a chance on me when I was a noob. I would argue that’s probably the case for many people. I find it ironic that people who were given those chances don’t turn around and do the same thing for others looking to join cyber. I sincerely hope that changes in the future.”