Despite recent high profile data security incidents, it seems business leaders still are not acknowledging their IT vulnerabilities: In a recent cybersecurity study, 20% of survey respondents cited business and executive management treating cybersecurity as a “low priority” was one of the top three reasons behind organizations experiencing security incidents.
The study, conducted by the Information Systems Security Association and analyst firm ESG, surveyed 343 cybersecurity professionals worldwide. Titled The Life and Times of Cybersecurity Professionals, the survey sheds light on how the cybersecurity skills shortage is worsening for businesses.
The problem is exacerbated because business leaders often don’t understand what information security or cybersecurity is, thus making it a low priority throughout the organization, Candy Alexander, member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle, explained.
The onus also lies on information security and cybersecurity professionals to get a lot better at educating their businesses about cybersecurity, Alexander said.
“As information security folks, we’re technical by nature. When we go in to have those conversations we’re bringing in technical conversation to a non-technical business person,” she said. “It’s clearly not working and we need to get better at having those business discussions.”
Business managers don’t support an appropriate level of cybersecurity and are often content with “good enough security,” Jon Oltsik, senior principal analyst at the Enterprise Strategy Group (ESG) and the author of the report, added. “But good enough security doesn’t work anymore.”
Creating an environment where cybersecurity is priority from the top of the organization can help mend the situation, he suggested.
Cybersecurity professionals also often don’t understand business methodology, Alexander said. Infosec professionals should sign up for online business communications or business theory classes to help understand the language of business and get better at communicating with the business, she said.
Alexander also stressed the value of networking as a tool to help businesses understand the cybersecurity professionals’ role in an organization. Cybersecurity professionals should look to their peer network to find somebody who is skilled at providing justification for cybersecurity investments and who has a good rapport with the business when doing so, she recommended.
“Latch on to that person and start networking. Use that person as a security mentor,” she said. “If I’m having a hard time getting a concept across to my business, such as maybe budget justification for hiring more staff, then I’m going to go find somebody in my peer network — a fellow CISO or a fellow infosec director — who is really good at it and I’m going to get their input.”